3 replies to this topic

[Demodog]

I create a javascript that onload of page prints out two textboxes that let people put in username and password and when user press submit it uses ajax and calls a login.php page which compares name and pass to whats in the mysql database. If it exists it sends a "yes" back to the javascript along with users data. The login textboxes then disappears and the true page appears using new DIV contents (the page never reloads). If the name and pass does not exist in database then javascript simply prints "wrong username/pass" and let the login textboxes remain.

My question is, is this safe?

How can it be exploited in compare to a php session? As I understand you cant make an ajax call from another server so it should be safe from people making an own javascript? Ofcourse you can always see in code that ajaxcall is being made to login.php page and that page can be loaded directly but it will not echo any data without the right name and pass.

[Demodog]

I understand now that sending variables with AJAX for storing in mysql is pretty much open for users to manipulate. If I have to send variables like move.php=?hej or with POST and GET it will be open for anyone to make an own page linking to mine and adding not legal values

[amrosama]

use this in JS:

var escapedstr=escape("move.php=?hej")

then use it like a regular string

[Demodog]

how does that help?