Is it possible to manipulate the post data in an jquery Ajax post?

StackOverflow https://stackoverflow.com/questions/22665165

  •  21-06-2023
  •  | 
  •  

Question

I was wondering if code I have written is open to attack.

    $.ajax({
        url: site_url+"/customer/update",
        type: 'POST',
        dataType: "json",
        async: true,
        data: {
            'id':$('#id').val(),
            'cuFirstname':$('#firstname').val(),
            'cuLastname':$('#lastname').val(),
            'cuPersonalnr':$('#personalnr').val(),
        },
    });

On the server it looks like this:

    $this->db->where('cuID = '.$customerid);
    $this->db->update('customers',$_POST);

So I'm thinking that maybe if someone could change the variables (cuFirstname, cuLastname, cuPersonalnr) in the data part of the ajax post, that they would be able to write sql-code there.

"update customers set cuFirstname = 'charlie', cuLastname = 'brown', cuPersonalnr = '7012230303' where cuID = 1000"

So if they changed cuLastname to something else it could look like this:

update customers set cuFirstname = 'charlie', [cuShouldnotbechanged] = 'brown', cuPersonalnr = '7012230303' where cuID = 1000

So my question is: Is it possible for an attacker to change those variable names, and if so, how?

Was it helpful?

Solution

The client can change any aspect of the AJAX call, simply by making their own HTTP request to your URL with their own parameters. So, yes, they could conceivably change any part of the request.

In your code, the question really boils down to "how does my database library handle the update?". You're doing the following:

$this->db->where('cuID = '.$customerid);
$this->db->update('customers',$_POST);

which is, presumably, building a query like:

UPDATE customers SET column1='some value', column2='some other value', ... WHERE cuID='whatever';

based on the keys and values of the $_POST array. To address your specific question about what happens if a client changes the keys n the $_POST array, it seems to me there are two possibilities:

  1. if they enter a column name that does not exist, the database library is either going to ignore it (and update the stuff it is able to) or throw an error (because an UPDATE statement with a non-existent column name is an SQL error).

  2. if they enter a column name that exists but that you did not intend to update, then that new column name will probably be used and updated (unless your database library has protection in place for that - some require you to explicitly state which columns can be updated in this way).

OTHER TIPS

Can a user write SQL code into those variabiles? The answer is yes.

Is it open to attack? That entirely depends on your method of sanitization/SQL input.

You can use prepared statements such as PDO (properly) to prevent the possibility.

Otherwise sanitize/check the sent data: It looks as the cuPersonalnr, should be numeric? check to make sure:

if (!is_numeric ($_POST['cuPersonalnr'])) 
    exit();    //script stops, not a number

first name and last name, im assuming need to be alphanumeric only? well create a check, or sanitize any other values that are not alphanumeric:

if(!ctype_alnum($_POST['cuFirstname'])) {
    exit();    //script stops, contains unsafe characters
}

instead of exit() you can create an error variable, and return the error.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top