O'Reilly logo

Ajax Bible by Steven Holzner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 15

Ajax and Security

IN THIS CHAPTER

  • Handling malicious users
  • Withstanding JavaScript and SQL injection attacks
  • Implementing password protection
  • Implementing password protection on the server
  • Sending username and password to the server using the XMLHttpRequest object
  • Using public/private key encryption to protect passwords

This chapter discusses Ajax and security, a particularly important topic because Ajax involves communicating with server-side programming, which lays it open for abuse. This chapter contains a discussion of security issues with Ajax, and what to do about them.

Protecting Against Malicious Users

Unfortunately, malicious users are out there, ranging from the casual to the very serious. If your Ajax application involves credit card use or other sensitive data, that application may be open to abuse.

The problem with Ajax applications is that the way you deal with the server is by using JavaScript, and that JavaScript is visible to all. Even placing that JavaScript in a .js file on the server offers no relief — those .js files are easily downloaded. Even if you create the JavaScript on the fly, as with a PHP script, it's still easily accessible by the user, who has only to view the page source.

That means you have to assume that, security-wise, users have access to your JavaScript, which means they can figure out how your application deals with the server. In simple terms, for example, you might access this URL on the server to record a user's score:

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required