how can protect javascript functions from console?

Question

I have a function called 'delete' like this :

<div onclick="delete($post_id, $_SESSION['id']">somelink</div>

function delete(post_id, session_id) {
  var p_id = post_id;
  var s_id = session_d;

  $.ajax({
    url:"delete.php",
    type:"POST",
    data: {  
      p_id: p_id,
      s_id: s_id
    },
  });
})

delete.php is a page to delete the post = p_id which was added from user id = s_id.

My problem is any user can delete any post for only the console when typing in it the function 'delete();' with parameters it called and delete posts!

Any ideas, please.

Answer 1

You can not. Nor should you.

You should always assume that data from the client side is corrupted and should be treated accordingly. That includes form data, or in this case, a AJAX request.

This means that you have to apply validation at the server side, let PHP do it for you. E.g.: Limit the number of posts you can delete per X time. And double check that the post actually belongs to the person who is deleting it.

---

The reason you can't do this, is because you create javascript which is clientside. If you create a function to prevent changing the code, the client can alter the code on their machine to ignore that. You could make a function to check of the function to check is changed, but again; client can change it.

Answer 2

Unfortunately you can't. What you need to make sure though is making the function safe on the server which, in simple terms, boils down to

1. Validating every request and input parameters on the server so that people won't be able to manipulate or change server side data from client side.
2. make sure all data that you send to the client is originated from server as well. one of the ways to prevent calling a function from client side is NOT to expose your methods in the global scope. and remember if your code is very critical and important, always move it to server-side. it is not a good practice to cover application design issues with programming workarounds. calling functions from client side shouldn't be an issue if the program is designed right.

Answer 3

First of all, this is bad. You should have authentication.

However, you can do that:

(function() {
  $('#BUTTON_ID').on('click', function(post_id, session_id) {

    var p_id = post_id;
    var s_id = session_d;

    $.ajax({
      url:"delete.php",
      type:"POST",
      data: {  
        p_id: p_id,
        s_id: s_id
      },
    });
  })
})();

And add "BUTTON_ID" as id for your button.

Not that even that way, it is still not secure.

With this way, you can't call delete from the console. But someone can look into the source code and copy your ajax call and paste it into his console and it will works. It is not a good way to prevent people deleting your posts.

You should read about web application security. You should have an authentication process with tokens that expires after x time. Tokens will authenticate the user and from here, you can check if the user have the right to delete post. If the user do not have the right, you don't show the button. Then if the user call it from it console, he will get an error from the backend server.