views:

68

answers:

3

Hello All,

I have a specific case here in which I would like some security advice. Basically my question is "If I control what is in a database (no user submitted data), is there a security concern to returning the results of a database query in HTML (via AJAX)"?

Here's the process that is happening:

  1. daily build generates an XML doc
  2. My server retrieves this XML doc, parses it (with PHP) and enters it into a database.
  3. User goes to site, the AJAX request is sent (parameters include number of results to return, how to sort, and a search term if necessary)
  4. PHP script queries the database returning the results to the AJAX callback
  5. AJAX callback injects the result into the page for viewing

Pretty standard stuff...

Some more background: I use prepared SQL statements, so that limits the user supplied search query and any URL tampering to create an arbitrary query. The XML file is alphanumeric only, no code. The reason that I want to return HTML is to limit client-side work as much as possible, with HTML, there's no need to fuss with JS to generate the page (except to use jQuery to inject the html block).

Any suggestions for me?

Thank you in advance.

PS - this is still in the planning stage, so there's no real code to show.

+2  A: 

Sounds like you're doing pretty standard stuff. Lots of people will use AJAH (HTML instead of XML or JSON) for the same reasons you mentioned.

Mike Sherov
Thanks for the input. I just don't want to create some kind of possible XSS vuln or something. I know I need to sanitize, but it only take one omission...
Tim
+6  A: 

As long as you control the input 100%, there is very little risk of injection or XSS attacks. Any attacks that can take place such as replacing part of or injecting into the response over the wire, would happen no matter what security measures you have in place.

Just keep your database secure.

Aaron Harun
Thanks - I was hoping that would be the answer :o) lol
Tim
+1  A: 

Possible place for XSS is if you display search terms in ajax response.

codez
I do not, but thank you for letting me know that.
Tim