my question is simple, but I can't find any updated informations about it.
Basically, I've a phonegap application :
- HTML files
- JS files
- ..
And php files on OVH server.
When the application need to CRUD the database (mysql-ovh), it's been done with ajax call.
For example :
if(confirm("Delete record ?")){
params = {
"action": "delete_record",
"record_id": record_id
}
ajax_post(params, function(data){
if(data.status == 'success') {
alert(data.msg);
$.mobile.changePage( "aRandomPage.html");
} else {
alert("erreur : " + data.msg);
}
});
}
NB : ajax_post is just a personalized function doing a simple ajax post so I don't have to write all informations such as file URL and so on.
The problem is that ANYONE could edit the javascript file (Either by unzipping the .apk, .xap or by console if it is a web version) and transform the params to
params = {
"action": "delete_record",
"record_id": 5
}
and delete the record number 5 (which is not his and he shouldn't be able to) or whatever record he wants, and doing so, he could delete all records.
Is there a classic way to handle this I'm not aware of ?
I came up with a solution : I could store the password in the storage.setItem(""), and everytime there is an access to the database through ajax, I would pass the userid (already stored in storage) and the password. Then I would check on PHP side if password and ID are matching (Kind of a loggin thing).
That way, I would be sure the user sending the request is the owner of the record and can delete it. (I don't see how someone could bypass that since it would require the password of the user)
Downside is to store password on client, not sure it's any better..
Thanks in advance,
