0

Hello guys I'm trying to make a web app, basically it delete a row in data base through ajax, but I wonder, is there any way that someone edit the value sent by Ajax?

I have the next code.

$(function(){ 

        $('.eliminar').click(function(){
    alert($(this).closest('.contenedor').children('.pregunta').children('.id').text());
});

with this code I receive the id, when we use chrome we can edit html temporally obviously we are not editing the site, I wonder if this way is secure to protect the data base, other wise anybody can edit the id 89 to 64 or 4555 etc.

I hope you can help me. Regards!

M.suleman Khan
  • 576
  • 6
  • 17
El arquitecto
  • 513
  • 2
  • 5
  • 16
  • What does this app do? Why the user can delete something in your database? If he/she can is there authentication? – Ali Somay Jul 23 '17 at 16:56
  • This is just an ask and response board, but when the user click on a question can delete, but I wonder if they can delete an other if the user change the ID, I mean, the user can edit the ID making something like javascript injection? – El arquitecto Jul 23 '17 at 17:04
  • The key point is do you need registered users or any user can use your board? The answer changes according to that. – Ali Somay Jul 23 '17 at 17:07

3 Answers3

0

You haven't given much information regarding your server or what framework you are using. Those things will determine some of this.

You will want to setup https on your server. These are some Apache examples: https://www.sslshopper.com/apache-server-ssl-installation-instructions.html https://www.digicert.com/ssl-certificate-installation-apache.htm

And

Authenticate your request with, on the server you will want to have a check for authentication prior to allowing any changes. How this will actually work will depend on your framework and server.

beforeSend: function (xhr) {
    xhr.setRequestHeader ("Authorization", "Basic " + btoa(username + ":" + password));
}

Reference: How to use Basic Auth with jQuery and AJAX?

user3738936
  • 936
  • 8
  • 22
0

Yes. A user can edit that field.But you should never expose rest API for deleting any sensitive or generic data to any guest user.Expose only for authenticated user. If you are exposing some APIS for the guest user as well it would be good to mask sensitive info before presenting it to the client.

Sudheer Singh
  • 61
  • 3
0

If you give power to delete stuff in your database to an authenticated user then it is easy. All users authenticated will have session cookies (something unique that identifies them when they are authenticated.) You collect that in the server then you will know that it is them. In your backend you should construct an authentication system which decides which user can do something or don't. You can restrict them from somethings or allow.

If you give power to delete stuff to guest users or any user. You can write an API on top of your database operations and you only expose the right part of it to guest users.

Ali Somay
  • 585
  • 8
  • 20