0

JQUERY AJAX

var action="G3DKisVzJmPZa8c7nKTHJkqEmtSezwLNF3FVquwsNMi05OGkhNIdigm/EDUndoROtGQgmugg568OidxYzB5eJ5e9CAcrahEBBNcARkfMdy5givNlXsyPjTA4ulBRsGap|VjZgMVTK7unm+YL+b4lAfECAVwKePb/R6etD95oGAbw=";
var table="LWwkQy/JbJl959qQn/1jAZ+wwsz4qlGXJmN0P1/3/2maJCug+rh5RB2TmgriPxX1iVRKSXoWFQefvfRgFjMb0ys4YLQty10Xnqi1ubO+JfrrZ8fuEGu6DGmWNHuVhwCU|aV7uxHNJGmJ08wk0dzRhJcfT1COXHWJSKmtO3KHclLA=";
var fields="PatIyJMBdUYsR87bLwlVaar7xnPOkMaqq1o/WEnQNwJrurySi2jZO66Y0iQube4WTUaBork1PELJ94xqBU8oPMQz7+CZWBum9oeJpsVS+3CXAx6bmDCf08EDXz8x/4m1trs8CLA7ihhBYAeJVb93i+Giszp72pZsOQreYhmE12A=|cFOi51p8JRNFDSjUlQB2mtrt6P/1mVsNpqEBR+5QWxQ=";
var params=Yer+","+Tabaghat_From+","+Tabaghat_To+","+Mabna;

$.ajax({
    url : "ajax/operationAJAX.php",
    type: "POST",
    data : {action:action,table:table,fields:fields,params:params},
    success: function(response, textStatus, jqXHR)
    { 
       if($.trim(response)!="empty")
       {
         TShowMessage("tblMessage",response);                    
       }
       else
          TShowMessage("tblMessage","error:fail to insert data");           

    },
    error: function (jqXHR, textStatus, errorThrown)
    {

        alert("error"+textStatus);  
    }
});

PHP

$action=mc_decrypt($_POST["action"]) ;
if($action=="delete")
{
    //Table name
    if(isset($_POST["table"]) && !empty($_POST["table"]))
        $table=mc_decrypt($_POST["table"] ) ;
    else
        die('table name does not define');
    //===================               
    //parameters
    if(isset($_POST["params"]) && !empty($_POST["params"]))
        $params=explode(',',$_POST["params"] );
    else
        die('parameters does not define');
    //===================
    //where 
    if(isset($_POST["where"]) && !empty($_POST["where"]))
        $where=mc_decrypt($_POST["where"] );
    else
        die('where does not define');
    //===================

    $delete=$dbHandle->delet($table,$params,$where);

    if(!empty($delete))
    { 
         echo "data deleted!";
    }
    else
    {
        echo "empty";
    }
}

i use AES encryption and encrypt action,TableName,FieldTable,Params,Where and send to server and in server base on action execute insert sql,select sql,delete sql,update sql.

**question:**Is this a security risk?

Would someone be able to use this information to perform illegal operation on the DB?

Improve this question
8
  • Params is not encrypted. Commented Nov 17, 2014 at 6:06
  • params is dynamic, and changed by user,i can encrypt params after any update by user. Commented Nov 17, 2014 at 6:15
  • 1
    Then what does the delet method actually do with the provided parameter values? Commented Nov 17, 2014 at 7:01
  • I do not know...but params get from user Commented Nov 17, 2014 at 9:23
  • 1
    Your approach is not "a security risk" per se, as in it does not (seem to) introduce new weak points. The problem is that it provides little to no extra layer of security. You are just making it less obvious to your user what the Ajax call does. But this could be easily reverse-engineered: as a malicious user, I just need to figure out which table the encrypted string "LWwkQy/blah_blah" maps to. Commented Dec 1, 2014 at 11:41

2 Answers 2

Reset to default
7
+50

Only use inherently secure methods

There can be no good reason to put SQL command information, albeit encrypted, in Javascript. It just should not be there. NEVER.

The normal way to work with ajax, javascript and databases is quite straightforward:

  1. Send a command with ajax to a PHP file. This should be a simple command, like: 'Delete this address', or 'Insert this address'. The important thing to realise is that these commands are generated by a user, and therefore there's no reason to hide or encrypt them. You could use a SSL secured connection if you want to secure data transfers.

  2. The PHP file that processes the ajax call should do all the security checks: Is this user authorised to perform this action? Is the data valid? Only when all the checks are passed should the SQL command be build and executed.

I can see no reason to deviate from this way of working. Data sent to your PHP scripts should be thoroughly scrutinized, and at no point should user input be directly used to build SQL command strings. User input should only be used as values of fields in SQL, preferably by binding them, or to direct PHP program flow. Anything else is always a security risk.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

i want write some javascript function (insert,delete,edit,update) one time and use that several times
You may. Just make them like commands: Delete, post, 10 - so it will delete post 10. If you write Delete, image, 10 it will delete image. You should NEVER allow anyone to see the commands, passwords and so on. That way ppl invented webservices - give command, enought parameters and voila - command is executed inside - how - you dont care, you just know it is done and you retrieve erorr statuses (correct, error, login required, validation failed... and so on - you make your own protocol).
anyone can not find table name to send correct command,because table name is encrypted
Why would you want to rely on the assumption that your encryption is perfect? What if it isn't? Moreso, you don't need to put parts of your SQL query in Javascript for your code to do what it does. Use abstract tokens and translate those, in a secure way, into a SQL command.
It sounds like somebody wants a simple CRUD REST API on top of their DB structure.
|
4

Maybe (or probably if you're paranoid) is the answer here. Taking a door as analogy. You're basically putting the lock for everyone to use and giving keys to your users. The users just don't know how to generate a new key that will do something else and they don't know what inside the one you give them.

Let me put some thoughts out:

  1. Will you keep updating this code? At some point in time AES will not be secure anymore and you will have to switch encryption.
  2. Given enough time and data somebody could (possibly?) find out your key. At that point he will be able to read and (re)generate anything he wants.
  3. It also boils down to your secret key, how is it protected?

Current cryptography is usually secure, a lot of problems arises from the "surrounding" mistakes/bugs/errors.

We can't really tell from the code you posted if your encryption is "good" not that I'll be willing to confirm it either :)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.