0

I want to store some variable to the client side, currently, I have few selection (javascript variable, cookie, session), because I want to reduce the workload from the server, so the incoming parameter will not check on the server side.

For example,

Client side

<div id="showmoney"></div>

<script>
var money=10000;

$('#showmoney').html(money);

function changemoney()
{

{ pass the variable 'money' by ajax to php...}

}
</script>

PHP side

<?

$money = $_POST['money'];

$sql = "UPDATE user_details SET money = ".$money." WHERE uid = 123";
{ do query...}

?>

Are there any method make it more secure, because I afraid someone can modify the javascript variable by tools(firebug? if yes, how?)

thanks a lot~:)

AstroCB
  • 12,337
  • 20
  • 57
  • 73
ykc
  • 271
  • 1
  • 4
  • 13
  • Also please understand that if you are actually dealing with money, you need to really get a better grasp at security. Your code shows at least two problem (the one the question is about and SQL injection). For instance have a look at http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778 Depending on the country you live and on the damage you cause, you may be considered penally liable if you do not take reasonable security efforts. – Andrea Feb 24 '11 at 15:44
  • Thanks Andrea, and everyone, I've learnt a lot from you, and I found a page very useful http://www.slideshare.net/billkarwin/sql-injection-myths-and-fallacies during the searching, and I need not to worry about my question because I that is a wrong way :) – ykc Feb 24 '11 at 16:13

6 Answers6

2

Every variable that you do not want the user to change (such as a price tag) HAS to be stored on the server and not on the client. There are A LOT of ways to change what the client sends to you, and FireBug is just the simplest tool. More sophisticated tools will allow to intercept and edit every HTTP request..

Andrea
  • 20,253
  • 23
  • 114
  • 183
  • you are right but cryptography in javascript is a option if you want to do that. –  Feb 24 '11 at 15:35
  • I don't think it is. Both the cryptographic library and the key to encode will be available on the client, and anyone will be able to encode and submit different values, although they may not be able to decypher them. – Andrea Feb 24 '11 at 15:40
2

Are there any method make it more secure, because I afraid someone can modify the javascript variable by tools(firebug? if yes, how?)

You can never, ever trust incoming data from the client. It can always be manipulated. Essential checks like prices you need to do on server side - a client side check is merely for the user's convenience.

Also, the code you show has a SQL injection vulnerability that you should sort out.

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
2

Anything you store in the client (browser) can be manipulated. The fix for your issue, is to verify that the information sent back to the server hasn't been tampered.

tpow
  • 7,600
  • 11
  • 59
  • 84
2

People can do just about anything to the page they want.

In the Google Chrome debugger (accessed with Ctrl+Shif+J) they could do the following in the console:

money = 10000000000000; //Or whatever arbitrary value they choose
changemoney();

As other people have said, never trust anything that people pass into the server from the client. The server needs to do a sanity check.

Peter Olson
  • 139,199
  • 49
  • 202
  • 242
1

you have to align your desire to store something on the client for performance with the need for security. Sensitive info should only be on the server. Any savvy web user can tweak the javascript. Save bandwidth by putting other, less sensitive info on the client.

hvgotcodes
  • 118,147
  • 33
  • 203
  • 236
1

are you know about client side database storage the brand new API in HTML5. trying to find sollution with them. maybe helpful for you to save some data on client side.

  • Thanks Ian Moss, but I will not use HTML5 currently, maybe after most of the user(browser of the user using) are ready :) – ykc Feb 24 '11 at 16:16