Hello All,
I have a specific case here in which I would like some security advice. Basically my question is "If I control what is in a database (no user submitted data), is there a security concern to returning the results of a database query in HTML (via AJAX)"?
Here's the process that is happening:
- daily build generates an XML doc
- My server retrieves this XML doc, parses it (with PHP) and enters it into a database.
- User goes to site, the AJAX request is sent (parameters include number of results to return, how to sort, and a search term if necessary)
- PHP script queries the database returning the results to the AJAX callback
- AJAX callback injects the result into the page for viewing
Pretty standard stuff...
Some more background: I use prepared SQL statements, so that limits the user supplied search query and any URL tampering to create an arbitrary query. The XML file is alphanumeric only, no code. The reason that I want to return HTML is to limit client-side work as much as possible, with HTML, there's no need to fuss with JS to generate the page (except to use jQuery to inject the html block).
Any suggestions for me?
Thank you in advance.
PS - this is still in the planning stage, so there's no real code to show.