security deleting a mysql row with jQuery $.post

Question

I want to delete a row in my database and found an example on how to do this with jQuery's $.post()
Now I am wondering about security though..
Can someone send a POST request to my delete-row.php script from another website?

JS

function deleterow(id) {
    // alert(typeof(id)); // number
    if (confirm('Are you sure want to delete?')) {
    $.post('delete-row.php', {album_id:+id, ajax:'true'},
        function() {
            $("#row_"+id).fadeOut("slow");
        });
    }
}

PHP: delete-row.php

<?php
require_once("../db.php");
mysql_connect(DB_SERVER, DB_USER, DB_PASSWORD) or die("could not connect to database " . mysql_error());
mysql_select_db(DB_NAME) or die("could not select database " . mysql_error());

if (isset($_POST['album_id'])) {    
    $query = "DELETE FROM albums WHERE album_id = " . $_POST['album_id'];
    $result = mysql_query($query);
    if (!$result) die('Invalid query: ' . mysql_error());
    echo "album deleted!";
}
?>

Answer 1

Whether you are doing it via ajax or not, it is possible for someone to send a post to that page with the proper information and delete the row, yes.

EDIT:

In most systems it is required to be authenticated to delete things, if this is the case then I personally wouldn't be very concerned whether the user is deleting things through your interface versus some other means they've figured out.

One strategy to make this a lot harder would be to have a unique token that is loaded with the page that is required to be passed back to the server in order to delete items. Therefore if someone wanted to delete the rows from an external system they would have to call the page and find the token that was generated, maybe you store it in a hidden field, in javascript, or in the session... but they would have to extract that token, and THEN pass both the token and whatever information (probably an id) is required back to the delete page...

You may also even be able to come up with a strategy for encoding the ID of the item being deleted which would make it harder for someone to generate the post to delete items they are interested in. So to clear this up, your post without encoding would be delete-row.php?id=123, with encoding delete-row.php?id=j922dh28d7h2edkjdf78h, delete-row.php would then need to decode 'j922dh28d7h2edkjdf78h' to come up with '123' and run the query.

Answer 2

Yes, it would be trivial to send requests to delete-row.php and anyone could delete anything they wanted. A simple examination of your javascript would make the URL very clear, and your whole albums table could be easily deleted with a simple looped script.

You likely want to implement some kind of permissions checking before you willy-nilly accept anything from $_POST and modify your database with it.

Do you have an authentication/login system on your site? Generally on a site where people can manage the site's data, you want to have some method of making sure that people are allowed to do whatever it is they are trying to do.