views:

218

answers:

3

I was looking through some code on a project of mine and thinking about all the php pages that I call with ajax that just run a simple update or insert query and it made me think. What if I could essentially run an insert or update sql query from javascript.

assuming I am using the prototype javascript framework for ajax and php on the server side.

would this work?

js:

<script type="text/javascript">
// table is string containing table name
// fields is an array of field names
// values is an array of values
function mysql_insert(table,fields,values) {
    var sql = "INSERT INTO " + table + "(";
    for(i=0; i<fields.length; i++) {
        sql = sql + "`"+fields[i]+"`";
    }
    sql = sql + ") VALUES (";
    // purposefully used fields array in for loop so we get matching number of values
    for(i=0; i < fields.length; i++) {
        sql = sql + "'"+values[i]+"'";
    }
    sql = sql + ");";

    var par = 'query='+sql;
    var ajax = new Ajax.Request('sql.php',{method:'post',parameters:par,onComplete:function(res) { }});
}
</script>

php:

<?php
    include('db.php');  // connect to the mysql server and select database
    mysql_query($_POST['query']);
?>

Obviously this is a simple example, just interested to know if this would work and I could replace the lot of small php pages that are each running a separate query?

+8  A: 

Don't do that!

It will allow anyone to do what ever he likes with your database!

He would be able to send any sql command to your database.

Ghommey
I wonder, if we use session (cookie) that is set after a log-in mechanism, will it still be problem?
NawaMan
Totally agree with Ghommey. Everything you have in javascript is visible and modifiable.
egon
@NawaMan... yes it will be, because anyone able to login can do still anything...
egon
Cookies won't help as there are cookie editors.
Ghommey
Thanks, makes sense I keep forgetting the javascript visibility thing. I'm more familiar compiled software just learning web programming in my spare time.
Tim
:-O -- So if cookie (or session) does not work? What about a regular PHP user login? Is it secure enough? If so, why different from this AJAX. If not, what can we do? Thanks in advance.
NawaMan
Using Firebug or a similar tool you can add javascript to any webpage and execute it. So you could login or get the cookie and than execute any command like `truncate users;` and your user table will be blank in no time..
Ghommey
A: 

Why don't you hide your SQL statement in your PHP ? It is very dangerous to expose your database schema to public.

Try to pass the data without field names only.

Shivan Raptor
A: 

Ghommey absolutely right. If you could afford to redesign your application architecture then I would suggest you to read Advanced Ajax: Architecture and Best Practices. It discussed ajax related security issues and how should you design your application to work with ajax and more interesting the server-side script is in PHP.

Ramiz Uddin