0

As a beginner, I'm always wondering if what I'm doing is actually secure. For example, recently I finished working on some code which checks how many times a (cross-domain) iframe has been clicked. And when clicked, inserting a row into a MySQL (log) table based on an ajax request(with jquery) which wraps the ID of the iframe into a $_POST:

$.ajax({ 
        url: 'execute.php',
        data: {action: 'some-id'},
        type: 'post'
    });

However I'm wondering: Because JavaScript is executed client-side, is it possible for a user to send fake data through the ajax request to the 'execute.php' page?

Improve this question
3
  • 2
    It absolutely is possible, that's why you should always check the data in your PHP code. Commented Jul 22, 2015 at 17:14
  • 1
    Yes; you cannot trust any data that comes from the client. Commented Jul 22, 2015 at 17:17
  • A client can completely ignore whatever your code does and send any arbitrary data to that endpoint. Commented Jul 22, 2015 at 17:39

2 Answers 2

Reset to default
2

is it possible for a user to send fake data through the ajax request to the 'execute.php' page?

Yes.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

is it possible for a user to send fake data through the ajax request to the 'execute.php' page?

It is completely possible, you should add validations on the server.

For example, if i go to your site, open the console and write this code: 

    $.ajax({ 
        url: 'execute.php',
        data: {action: '1'},
        type: 'post'
    });

It will send a request to your execute.php sending the info action=1.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.