0

I am creating an application using JavaScript and PHP.
I post my data to a PHP file and then the PHP file insert my data into the MySQL database. All good but I have some doubts about security because my dom can be easily manipulated using the browser.

For example my code like below

var req = {
            method: 'POST',
            url: 'phpfile/send_message.php',
            headers: {
                'Content-Type': undefined
            },
            data: {
                "UserId": UserId,
                "Message": Message,
                ...
                ..
            }
        };
        $http(req).then(function successCallback(response) {
                //Do Something
        }, function errorCallback(response) {
                //Do Something
        });

anyone can put a breakpoint in this code and easily can change the UserId, therefore, the message sends to another user.

Ok, I know I can minify my Script but I think this is not enough. If someone wants to change data, he can find the code easily.

Is there any way to prevent this? Any information you can provide me would be greatly appreciated.

MareCieco
  • 157
  • 1
  • 19
  • 2
    You also don't need to edit the code you can simply edit the request. If your system isolates users to only talk to friends, then do that logic serverside too. If `UserId` is *from* user then that should be serverside in session, if its the *to* user, then just check the user can send to them. – Lawrence Cherone Jul 19 '18 at 06:58
  • `'Content-Type': undefined` <- why? A POST request with data should **always** have a content-type – Phil Jul 19 '18 at 06:58

0 Answers0