POST via AJAX is safe?

Asked

Viewed 61 times

0

I’m studying a little bit about web programming, and trying to create a virtual store to train, but some things are still not very clear to me. I am trying to assemble the part of user registration/ login and I read that the PDO method is safer against intrusions of type sql Injection than using the post method, until I started to do by Pdo, but I’m having trouble presenting messages to the user due to the refresh that the page gives after the action of registering for example. Then recently I saw a tutorial on youtube that taught in the form below. Can anyone tell me if this form is safe or if this code is passive to be invaded?

<!--AJAX PARA INSERÇÃO DOS DADOS -->
<script type="text/javascript">
    $(document).ready(function(){
        
        $('#btn-cadastro').click(function(event){
            event.preventDefault();
            
            $.ajax({
                url: "cadastrar-usuario.php",
                method: "post",
                data: $('form').serialize(),
                dataType: "text",
                success: function(mensagem){

                    $('#mensagem').removeClass()

                    if(mensagem == 'Cadastrado com Sucesso!!'){
                        
                        $('#mensagem').addClass('text-success')

                        document.getElementById('username').value = document.getElementById('email').value;

                        document.getElementById('pass').value = document.getElementById('senha').value;

                        $('#nome').val('')
                        $('#telefone').val('')
                        $('#cpf').val('')
                        $('#email').val('')
                        $('#senha').val('')

                        //$('#btn-fechar').click();
                        //location.reload();



            
           

                    }else{
                        
                        $('#mensagem').addClass('text-danger')
                    }
                    
                    $('#mensagem').text(mensagem)

                },
                
            })
        })
    })
</script>





<!--AJAX PARA RECUPERAR A SENHA -->
<script type="text/javascript">
    $(document).ready(function(){
        
        $('#btn-rec').click(function(event){
            event.preventDefault();
            
            $.ajax({
                url: "recuperar.php",
                method: "post",
                data: $('form').serialize(),
                dataType: "text",
                success: function(mensagem){

                    $('#mensagem2').removeClass()

                    if(mensagem == 'Senha enviada para o seu Email!'){
                        
                        $('#mensagem2').addClass('text-success')

                        document.getElementById('username').value = document.getElementById('email-recuperar').value;

                       
                        $('#email-recuperar').val('')
                        

                        //$('#btn-fechar').click();
                        //location.reload();



                    }else{
                        
                        $('#mensagem2').addClass('text-danger')
                    }
                    
                    $('#mensagem2').text(mensagem)

                },
                
            })
        })
    })
</script> ```
  • Do not confuse PDO with the POST request method.

2 answers

1

I will follow the same line as the previous answers and comments. Let’s start with this part of your question:

I am trying to assemble the user registration/login part and I read that the PDO method is safer against intrusions of the type sql Injection than using the post method

PDO is a PHP extension (api) for database access, which supports several database systems (Mysql, Postgres, SQL Server, Oracle, sqlite, etc.). Something you can compare to PDO is the extent mysqli, that serves to access exclusively mysql database (as the name suggests). In general PDO is a good choice, has even a question here on sopt making a comparative.

Already the method POST this related to the HTTP protocol, is not exclusively part of the PHP language. Let’s go to a definition about the protocol HTTP taken from the wiki Mozilla Developers (a good source of learning for web technologies in general):

The HTTP protocol defines a set of request methods responsible for indicating the action to be executed for a given resource. Although these methods can be described as nouns, they are also commonly referred to as HTTP Verbs (HTTP Verbs). Each of them implements a different semantics, but some resources are shared by a group of them, for example, any request method can be safe, idempotent or cacheable.

The most commonly used HTTP methods for sending form data (and other information) are GET, POST, UPDATE and DELETE (see the rest on the Mozilla MDN quote link). Each has a semantic and a specific use case, for example, you use the method GET when you want to list server data, and the method POST when you want to send something to be saved on the server. But of course it is always possible to force the bar (use bad practices) and do everything using a single method, for example sending everything as GET.

So coming back to your question, the PDO class is not directly related to the post method of the HTTP protocol. The post method is related to how the browser that is running your application will send the data to the server (whether in the body of the http request or in the url, for example). The PDO is related to how the data received from the client by the server will be saved in the database.

About the sending part requisição post via AJAX, the simple fact of doing this does not define whether the system will be safe or unsafe. Why at the end of the accounts, when the form is submitted will be made a POST request to the server, in the same way that would be done if you use AJAX to do this.

So at the end of the day you want to know if the code you wrote is safe (javascript code you put in the question). The answer is depends.

It depends on how much of the PHP code is on the server that receives this data from the client. If you are using the PDO api correctly (using preparestament to send the array data $_POST to save to the database, instead of simply concatenating the variables in the sql query, being subject to sql code injection). These and other aspects of security can be deepened with the materials indicated in the links below (although they are extensive, but they are a good starting point to learn more about security).

  • Perfect, thank you very much, now I understand the points and I will start studying the materials you indicated to me! Thank you very much!

  • Thank you very much to everyone who responded. I’m not seeing any place here to end the issue (first time on the forum), but thank you for helping me a lot!

-3

Security is not related to the front end, but to the server. The post is a safe method yes, even because the user can make a request without being through the front end, using software like Postman.

You must ensure security always at the server level and never at the client level, since anyone can change the code.

Remember, always use https to ensure data is encrypted.

  • 2

    "Security is not front-end related" "and never at customer level" These statements are very dangerous, what about letting the password be displayed on the page? safety should be done at all possible points, it is never too

  • So I must conclude that the above code is safe, but I have to ensure the security on the server? how do I do that? have some contents to indicate me so I can study?

Browser other questions tagged

You are not signed in. Login or sign up in order to post.