Is jQuery/Ajax safe approach

Question

I have simple login form which runs jQuery script which send request to PHP (ajax) and then return true if login is successful.

My 2 questions will be based on safety.

I am sending data through ajax like this:

$.ajax({
    type: "POST",
    url: "../Php/CheckUserLogin.php",
    data: {"userName" : userName, "password" : password},
    success: function(result){
        switch(result)
        {
            case "0":
                document.getElementById('errorMessage').innerHTML = "Uspesno ste se ulogovali!";
                document.getElementById('errorMessage').style.color = "green";
                break;
            case "NEPOSTOJECI_KORISNIK":
                document.getElementById('errorMessage').innerHTML = "Korisnik ne posotoji!";
                document.getElementById('errorMessage').style.color = "red";
                break;
            case "-1":
            case "1":
                document.getElementById('errorMessage').innerHTML = "Pogresna sifra!";
                document.getElementById('errorMessage').style.color = "red";
                break;
            default:
                document.getElementById('errorMessage').innerHTML = "Greska!";
                document.getElementById('errorMessage').style.color = "red";
                break;
        }
    }
});

Do i need to do some input filtering before sending it to my PHP (i am checking if strings are empty)?

In PHP i am creating sql statement like this: $sql = "SELECT SIFRA FROM KORISNIK WHERE IME = '$input_Username'";

Am i using it in the right way or is there some other (safer) way like with parameters in sql - c#?

Users can send to your server whatever they like, so input filtering should only be used for usability purposes (Showing errors to the users without first sending it to the server). You should do the checks on the server-side. For the latter question: You are vulnerable to SQL Injection. See [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). (But you shouldn't ask more then one question at the time at Stack Overflow.) — Ivar, Jul 21 '18 at 19:40

score 0 · Answer 1 · answered Jul 21 '18 at 19:45

In terms of client-side validation, it's up to you what you want to validate.

In terms of backend. You should definitely never use that code unless you don't care about the data in your database.

You should use prepared statements if you use PDO or mysqli, so you can bind parameters.

$sql = "SELECT SIFRA FROM KORISNIK WHERE IME = :input_username";
$stmt = $dbh->prepare($sql);
$stmt->bindParam(':input_username', $input_username);

http://php.net/manual/en/pdo.prepared-statements.php

http://php.net/manual/en/mysqli.prepare.php

Do not forget that you need to execute the query. – Danielius Jul 21 '18 at 20:05 — Danielius, Jul 21 '18 at 20:05

score -5 · Answer 2 · answered Jul 21 '18 at 19:31

-5

you should use {$input_Username} in strings it is more readable. it is okay to send ajax requests and you should check your strings.

$sql = "SELECT SIFRA FROM KORISNIK WHERE IME = {$input_Username}";

answered Jul 21 '18 at 19:31

GAME DEV

11
1

2

Nope, he should not use that. And for a lot more important reasons than readability. – Danielius Jul 21 '18 at 19:38
well ajax request can be cleaned as for starter this is good. with this he will learn how to keep the site safe from XSS. – GAME DEV Jul 21 '18 at 19:41
2

Promoting db code that is vulnerable to sql injection is a bad thing to do around here – charlietfl Jul 21 '18 at 19:47
"_and you should check your strings_". If you mean in JavaScript as the question suggests, that has no effect in terms of security. – Ivar Jul 21 '18 at 19:53

Is jQuery/Ajax safe approach

2 Answers2