You're right, Bryan, AJAX is no safer than a regular form post. I would imagine that even easier than trying to read some people's javascript or obfuscated code, would just be a packet sniffer for outbound traffic bound for a target server. Any information that goes over the web is hackable. All data should be verified before manipulated or persisted.
-nathan strutz http://www.dopefly.com/ On 1/3/06, Bryan Stevenson <[EMAIL PROTECTED]> wrote: > It has just hit me that AJAX may not be all that safe. > > One could derive all that is being passed in an AJAX request by using view > souirce and nabbing any included JS files. Once you had that info you could > then figure out what's being sent in the request (i.e. variable names etc.). > > So in the case of an AJAX call that perhaps sends form contents to be > inserted into the DB....what's to stop someone from reverse engineering your > AJAX call and start inserting their own data?? > > I'm not readily seeing in the AJAX code where the domain is specified (my > guess is programatically) as there is no domain setting....just which CFC/CFM > file to call. > > I'm still working out the kinks....I love the possibilities of CFAJAX.....but > this security issue (if it really is one) has me a bit spooked ;-) > > TIA > > Cheers > > Bryan Stevenson B.Comm. > VP & Director of E-Commerce Development > Electric Edge Systems Group Inc. > phone: 250.480.0642 > fax: 250.480.1264 > cell: 250.920.8830 > e-mail: [EMAIL PROTECTED] > web: www.electricedgesystems.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:228283 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
