I am having a Password textbox which will have empty value. when the user clicks on it and enter password, onblur of the textbox, the password will be updated the database.
I have done that using ajax but i want to know whether any security hole in this script. am afraid the data we are sending from ajax() function can be changed using some hacking utilities like FIREBUG. Plz advice me some points. Any points will be appreciated
My code below:
//Code inside blursave() javascript function
newName = $j('[name=abs]').val();
var thedata = 'nam=' + newtval;
$j.ajax(
{
type: "POST",
url: "save.php",
data: thedata,
cache: false,
success: function(html)
{
{
$j("#update").empty();
$j("#update").fadeIn("slow");
$j("#flash").hide();
//$j("#update").hide(2000);
$j("[name=abs]").fadeOut(2000);
$j("#update"). append(html);
}
}
});
HTML CODE
<div id="flash"></div>
<div id="update"></div>
<div >
<a href="#" id="edit">hello</a>
</div>
<div id="editbox" style="display: none">
<input type="password" name="abs" id="abs" onblur="blurSave()">
</div>
Making an Ajax request is not that much different from a standard browser request. Anything you can manipulate with development tools like Firebug would apply regardless of whether you use Ajax or not.
In this case, the security of your application will depend largely on two things, neither of which are related to Ajax.
Your backend. If your PHP backend is secure, it doesn’t matter if the request is Ajax or a normal browser request. This means that you need to check for things like input sanitation to protect yourself from injections.
HTTPS. Regardless of how secure your backend is, it might not mean anything unless you use HTTPS. If you don’t, the passwords will be sent from the client to the server in plain text, making it relatively easy for anyone to “sniff” it. Again, this is the same if you use Ajax or not.