> what's to stop someone from reverse engineering your AJAX call and start > inserting their own data??
Nothing is going to stop them from playing with code they can get their hands on. But... what's to stop them from inserting their own data into YOUR database? Quite simply put... you. I wouldn't call 'AJAX' any more or less 'secure' than an HTML form. They both do the same thing. Get data from point A to point B. 'AJAX' can go both ways of course, but regardless of the method being used to get the data from point A to point B, you should take care of any such threats at point B. You could use cfqueryparam or cfqueryparam or even cfqueryparam and, on occasion, cfqueryparam but personally... I'd use cfqueryparam. ;-) Also, anything you wouldn't want someone to see should probably never be put into a viewable JS var anyway (at least without encrypting it). If you wouldn't put it in a hidden form field... don't put it in a JS var. ..:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -----Original Message----- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 03, 2006 1:58 PM To: CF-Talk Subject: AJAX and security It has just hit me that AJAX may not be all that safe. One could derive all that is being passed in an AJAX request by using view souirce and nabbing any included JS files. Once you had that info you could then figure out what's being sent in the request (i.e. variable names etc.). So in the case of an AJAX call that perhaps sends form contents to be inserted into the DB....what's to stop someone from reverse engineering your AJAX call and start inserting their own data?? I'm not readily seeing in the AJAX code where the domain is specified (my guess is programatically) as there is no domain setting....just which CFC/CFM file to call. I'm still working out the kinks....I love the possibilities of CFAJAX.....but this security issue (if it really is one) has me a bit spooked ;-) TIA Cheers Bryan Stevenson B.Comm. VP & Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:228287 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
