Home/ Questions/Q 6049601
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T07:35:42+00:00

Here is an abstract example: 2 types of users ( user and admin )

  • 0

Here is an abstract example:
2 types of users (user and admin) have some data, that they can change on their’s Profile Page.

user can change only his own data, but admin can change data of any user.

On the Profile page of admin there is such a code:

$.ajax({
    type: "POST",
    url: "some.php",
    data: {
        'action' : 'data_change',
        'user_id': $("#user_id").val()
    },
    success: function(msg){
        alert( "Data Saved: " + msg );
    }
});

But on Profile page of user there is such a code:

$.ajax({
    type: "POST",
    url: "some.php",
    data: {
        'action' : 'my_data_change'
    },
    success: function(msg){
        alert( "Data Saved: " + msg );
    }
});

Here, for example my_data_change action (php function) gets user id from session.

Is it safe? For example some ‘bad user’ used to be an admin, but now is a user. So he may know how to send request (may be likes to watch in firebug).
It turns out, that with easy request modification any user can modify another user’s data.

But is it really to modify request locally from browser? In this example, is it really to change my_data_change action to data_change and add user_id parameter to request?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    They can modify all the requests they want, they still need to physically log into the server, or your some.php file can simply deny the request as unauthenticated (use sessions!). Once authenticated, the server knows whether the user is an admin or not, and can further check that the client has the proper permissions for the operation requested.

    The system is about as safe as you make it (give or take an unintended bug or two).

    • 0