3

We have an application that has a lot of forms for submitting data. The forms make heavy use of AJAX with JSON for posting information to the database. I'm concerned about events where a malicious user may try to call our Ajax interface by passing JSON structured data. The php script would not differentiate between our own server calling it or the call being made from outside. In theory, the malicious user can write content in our database without going through our web site. Is this a valid concern and if so, are there ways to tackle this?

Improve this question
2
  • 1
    Force users to log in via PHP sessions. Enable SSL/TLS so no one can eavesdrop (Godaddy sometimes has specials on certificates for 10,20,30 dollars). If your server has a static IP address, make sure the script always checks the IP. Commented Jun 8, 2013 at 0:57
  • 1
    Good tips, I am already checking the IP, but I'm worried about how easy it is to spoof IP addresses. Commented Jun 8, 2013 at 2:20

2 Answers 2

Reset to default
1

Yes, this is a valid concern. OWASP has some good guidelines here that you should read.

I would like to stress that you shouldn't rely on client logic.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

HTTPS (HTTP through SSL/TLC) is what you want. The protocol will deal with server authentication and (optional) client authentication. You just need enable it in your server, you will be protected from man in the middle attack.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.