Ajax attack via browser Inspect Elements

Question

Let's say i have a table and each row have 2 columns: 1) some information 2) nothing but delete the current information when clicking using AJAX

<table>
    <tr>
        <td> info 1 </td>
        <td id="1" onclick="$.ajax('delete.php', {'id':this.id})"></td>
    </tr>
    <tr>
        <td> info 2 </td>
        <td id="2" onclick="$.ajax('delete.php', {'id':this.id})"></td>
    </tr>
    <tr>
        <td> info 3 </td>
        <td id="3" onclick="$.ajax('delete.php', {'id':this.id})"></td>
    </tr>
</table>

someone can just using the browser Inspect Elements and change the id to some other number - and then delete whatever he want! how can i protect it? how any other site (like facebook with LIKES method) do that?

Answer 1

Your server code should always validate whether a user has the right to perform a certain operation, be it delete or add or update or whatever. Any session cookies are transported with the Ajax call as well so use those to check the user is (don't forget that session cookies can be hijacked as well so in critical applications bind them to an IP address server side).

Edit: other method You can also generate a one time token on the server and have the Ajax call transmit that as well as one of the arguments. On the server you have to keep track of those tokens and only allow actions with a valid token. Valid van be: generated less than x minutes ago on the same IP address.

Answer 2

Always verify your data in the server side! The client can do what ever he want and you can't do nothing about that... so only server side can validate at final