I am looking for a way to use AJAX and jQuery to store data from one form in another without losing the values. I want to be able to keep this data away from the front end user and allow them to remove the information should they wish to. I need to be able to get this information out when the user submits the data. I would like to be able to store the values in an associative PHP array if possible, for example:
<?php
$information = array(
"first_information"=>array(
"name"=>"Sam Swift",
"age"=>21
),
"second_information"=>array(
"name"=>"Example Name",
"age"=>31
)
);
?>
I would have used a database for this but because of volume this will not be possible. I want to keep the data away from the user so that they have no access to it at all, the data should be held where the user has no way to see it, access it or change it. This is due to the nature of the data and all of it should be as secure as possible.
Any information that you store client-side is naturally going to be accessible and mutable by the client. If this sensitive data is data that the user is entering, then you really shouldn't worry about them manipulating the data (because that is what they are supposed to be doing). If however it is data that is being sent by the server - and never displayed or used in that form by the client - this is data that should never leave the server in the first place.
Ajax is not specifically a solution to this problem - whether you send the data asynchronously (i.e., piecemeal with Ajax) or as a full HTTP post is immaterial. You need to store the sensitive data on the server only along with a session ID to associate it with the client session.
Without knowing exactly what data you are storing nor what you are doing with it, it is difficult to advise you how to proceed. You should rethink how you are structuring your application if you are sending sensitive data for the client to work with. The client should only ever see the input and the results. The processing should be done on the server.
For example: perhaps your user is adding an amount to a bank balance. The user enters the amount on the client. but you don't want the client to see or be able to modify the actual value. You could send the balance to the client, perform the addition operation, then send the total back to the server. Far better would be for the client to send the amount to add to the server, which would then add the value to the balance, and return a confirmation for the client to display.
Related
We have a mobile app where the client gets a bunch of data from the server, stores and uses that data on a local db, and then syncs the new/modified data back to the server. My team is very concerned about the reliability of the data and want me to verify that syncing went correctly by first sending a "sync manifest". This would contain things like the number of rows that are to be sent so that can be compared with what the client actually stores.
My question is: Is there a point to doing something like this? If there is an actual error either when sending the request or storing the data we will get that error message. Is there a point to having this kind of extra verification when sending data and if so what would you look for?
The use case is - user will request some data, user can edit that data and user can persist data on server side. In this scenario I want to have some integrity of data. Here legitimate use can resend the request from Developer tool by putting some malicious values(user is editing in rich text editor) in the JSON data.
To resolve this I am using an approach of calculating MD5/SHA256 of JSON data and send that hash along with data and at server side recalculate the hash from data and compare that hash with input hash. To make it tough I am using salt while generating the hash. The approach I am using is when user logs in- create a Salt and store that in user's session. When user requests the page i am sending the Salt in ModalMap. When user sends request to persist that JSON data, I will use the salt+data to generate hash
Now, my problem here is I want the salt to be hidden from user. The EL evaluated attributes are visible to user from page source and same is the case for scriptlet or jstl.
So, is there any way of accessing some attribute secretly on JSP page?.
I understand that when JSP gets parsed all those tags gets evaluated.
Minification of JS will make it little harder to find but is will not be impossible to retrieve the salt value.
I also understand that I should have such logic at server side but the requirement is preventing me to do that.
If I cannot access attributes secretly then is there any other approach of doing that?.
I have not included any source code here because it's generic.
I want to select the entire table from mysql and validate those values using javascript. I know I can do this using AJAX which will send a HTTP request to the server but I feel sending too many HTTP request to the server can be quite bad as the page will load much slower, or I could store the value as the page load in the client cookie. I think it will be much faster but might be too much data stored in the cookie specially if the mysql table is too big.
What do you guys think should be the best approach for this? Is it a good thing to store mysql data in a client cookies
UPDATE
Say I have 100 Items in mysql, these 100 items I needed them displayed in a page dynamically, as the next time the page is loaded there might be 101. That means I need to validate how many items are there and allocate them to the page, and im not sure how to do that and where either client side or server side.
You could do an AJAX call for the information, do the validating of what data you need/don't need, then send it back as an array. When you get the array back you can do a for loop through the array creating the div's for each index/object in the array. This way if you have 5 items that need to be shown, you can show them. Then later if you have 7, you can show them as well. Hope this helps!
I have a form where users can buy credits with PayPal or banktransfer as payment option.
If a user selected "PayPal" as an option, the form data will be send to PayPal, using JQuery/JS:
$(':radio').change(function () {
var $this = $(this).val();
if ($this === 'pp') {
$('#form').attr('action','https://www.paypal.com/cgi-bin/webscr');
}
else
{
$('#form').attr('action','');
}
});
The user can also choose how much he wants to pay, which also selects how many credits he'll get from it. Additionally he can add a coupon-code. An Ajax-Request will check our database, if this is a valid coupon and grants the discount-value then.
All informations are stored in hidden input fields (what the price is, how many credits, how much discount (if any), user id, etc.).
Now, I want to make sure that the user doesn't manipulate these values with Developer Tools or similiar things to pay less, use another user id and so on.
What would be the best possible way to prevent this form manipulation and receive the correct data? I assume it's kinda difficult because there are so much values to change.
Data Forgery / Manipulation
There are many nefarious means of sending manipulated or forged data to a web server - cURL, Http Client (OSX app) just to name two that I use frequently when debugging. A determined attacker will send bad data to the HTTP server no matter what Javascript you think up.
Think outside the box
For security needs, it's time to break out of the mental model of using a web browser because it's a web site. As already stated, there are many ways to send data to an HTTP server.
Javascript is good for the UI and helping the user, but when it comes to securing your service against intentionally bad/wrong/malformed data, you must do that on the server.
Your particular problem
You may need to re-think using hidden form fields. One approach would be to use sessions to keep track of this info. If this is information that must be sent to PayPal in their form, there is a way to embed the PayPal form using encrypted data.
If you don't want to do this, the point of security then moves to the order processing code - look at the transaction details (currency amount, etc) before considering that a transaction is complete and valid.
Upon completion of an ajax call I would like to direct the user to an html page, but at the same time passing a hidden variable (this variable contains sensitive information and should not show up in the URL).
How can I accomplish this?
window.location.href = 'userpage.html?id=14253';
But with the id remaining invisible? Can I POST the id somehow while sending the user to userpage.html?
You should not be checking user credentials on the client side of your website. Regardless of how the ID is being passed to your script, it can be replicated without you being able to check if the request is valid.
To start being even remotely secure with what information is granted to a user, you need to be checking it via the server side. With every request, ensure the user is authenticated to view such data.
If I were you, I would look into using PHP sessions as the first line of defense for checking if a user is authenticated. Doing so will at least keep the information about a user out of a replicable space that can be viewed by the user.
Look up 'php session login tutorial' on Google and you will find plenty of simple tutorials which should get you on the right track.
Example Tutorial
No matter what, the information you pass along is insecure. You can submit a post request using XMLHttpRequest objects if you'd like (or use a framework/library to make AJAX calls) -- but the user could still spoof the data and get different results.
ID enforcement should be done in the backend. Does the requested ID match the ID of the user signed in? No? Don't show it. etc etc.