3

I was looking through some code on a project of mine and thinking about all the php pages that I call with ajax that just run a simple update or insert query and it made me think. What if I could essentially run an insert or update sql query from javascript.

assuming I am using the prototype javascript framework for ajax and php on the server side.

would this work?

js:

<script type="text/javascript">
// table is string containing table name
// fields is an array of field names
// values is an array of values
function mysql_insert(table,fields,values) {
 var sql = "INSERT INTO " + table + "(";
 for(i=0; i<fields.length; i++) {
 sql = sql + "`"+fields[i]+"`";
 }
 sql = sql + ") VALUES (";
 // purposefully used fields array in for loop so we get matching number of values
 for(i=0; i < fields.length; i++) {
 sql = sql + "'"+values[i]+"'";
 }
 sql = sql + ");";
 var par = 'query='+sql;
 var ajax = new Ajax.Request('sql.php',{method:'post',parameters:par,onComplete:function(res) { }});
}
</script>

php:

<?php
 include('db.php'); // connect to the mysql server and select database
 mysql_query($_POST['query']);
?>

Obviously this is a simple example, just interested to know if this would work and I could replace the lot of small php pages that are each running a separate query?

asked Oct 28, 2009 at 9:18
1
  • 4
    security threat. it will work, but you have exposed too much information to the public. Commented Oct 28, 2009 at 9:24

3 Answers 3

10

Don't do that!

It will allow anyone to do what ever he likes with your database!

He would be able to send any sql command to your database.

answered Oct 28, 2009 at 9:19
Sign up to request clarification or add additional context in comments.

6 Comments

I wonder, if we use session (cookie) that is set after a log-in mechanism, will it still be problem?
Totally agree with Ghommey. Everything you have in javascript is visible and modifiable.
@NawaMan... yes it will be, because anyone able to login can do still anything...
Thanks, makes sense I keep forgetting the javascript visibility thing. I'm more familiar compiled software just learning web programming in my spare time.
:-O -- So if cookie (or session) does not work? What about a regular PHP user login? Is it secure enough? If so, why different from this AJAX. If not, what can we do? Thanks in advance.
|
0

Why don't you hide your SQL statement in your PHP ? It is very dangerous to expose your database schema to public.

Try to pass the data without field names only.

answered Oct 28, 2009 at 9:23

Comments

0

Ghommey absolutely right. If you could afford to redesign your application architecture then I would suggest you to read Advanced Ajax: Architecture and Best Practices. It discussed ajax related security issues and how should you design your application to work with ajax and more interesting the server-side script is in PHP.

answered Oct 28, 2009 at 9:31

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.