1

I have form in which collects user data. Using Ajax and jQuery I am passing this data to a PHP page to insert in Database. Problem is I have some javascript code in script tags which get values from form field and there is some business logic associated with is. I have some hidden fields whose value is set by javascript code automatically based on other field values. If someone edits this code and change this values (let say adds some garbage values) and hit submit this will cause wrong values wrong values to be inserted in the DB. How do I make this code non editable ?

mplungjan
  • 169,008
  • 28
  • 173
  • 236
Ranjeet Thorat
  • 162
  • 8
  • You cannot. Anything you publish is changeable – mplungjan Aug 27 '20 at 12:53
  • Never fully trust anything coming from the browser. Always perform server-side validation and use prepared statements/parameter binding when inserting into the DB. – aynber Aug 27 '20 at 12:53
  • Javascript is ran on the client, you can't stop people from editing it. That's why you usually have frontend validation for UX, and server validation for making sure the data that's going into the database isn't malicious. – ninja Aug 27 '20 at 12:54

1 Answers1

8

How do I make this code non editable?

You can't. The client doesn't even have to use your code at all, they can craft whatever HTTP requests to your server that they want.

Basically, you're looking at this the wrong way. Instead of trying to stop the client from doing something on their computer, you need to stop them from doing something on your server. Before you perform any sensitive operation in your server-side code, validate the request. Never implicitly trust a request from the client, always validate that the user is permitted to perform the operation.

David
  • 208,112
  • 36
  • 198
  • 279
  • I get it . But suppose I have JS code which will log out user after if he is inactive for 10 min (No mouse hover no keyup ) . If user can modify this to ,say,100 min then this beat the purpose of code . – Ranjeet Thorat Aug 27 '20 at 13:07
  • 2
    @RanjeetThorat: Client-side code is for providing a user experience. Server-side code is where security takes place. If the user's authentication has expired server-side, but the user chooses to ignore that logic client-side, then the user's next request which requires authentication would result in an error, and that error is entirely the user's own doing. There's no problem in that. The only problem is if your server-side code *doesn't* enforce security and assumes the user is valid. – David Aug 27 '20 at 13:11