I’m using a jQuery dialog to ask the user if he really wants to delete the record (user is logged in).
If yes, I fetch the record’s ID and run jQuery.ajax.
My questions are:
- Can a user execute a jquery without interacting with the screen?
- Can user, through some “hack ware”, pass on any
record_idthus deleting a record that he’s not supposed to delete?
Here’s my code:
function initDeleteRecord() {
var options = {
title: "Delete record",
modal: true,
buttons: {
"Ok": function() {
var record_id = jQuery('#recordID').val(); // <-- Can this be manipulated?
deleteRecord(record_id);
},
"Cancel": function() {
jQuery(this).dialog("close");
}
}
};
jQuery('#dialog').dialog(options);
jQuery('#dialog').dialog("open");
}
function deleteStore(store_id) {
jQuery.ajax({
url: siteURL +"/jquery.php",
data: {instance: 'deleteRecord', record_id : record_id},
success: (function(data) {
jQuery('#dialog').dialog("close");
window.location(siteURL);
}),
dataType: 'json'
});
}
1) Sure, it’s trivial to extract the url from a chunk of javascript and invoke the web service directly. It’s impossible to guarantee 100% of the time that script
x.phpwas invoked by a piece of javascript executing in a particular page. As far as the PHP script is concerned, a POSt done by an AJAX call is the same as a POST done in a form on a completely different page or server.2) Easily. Consider someone putting a simple .html page on their own local computer with a form in it:
this will have exactly the same effect as your jquery ajax call.