A
A
Alexander2016-11-27 16:08:16
JavaScript
Alexander, 2016-11-27 16:08:16

How secure is the code?

I recently started working with JQ, I'm learning a little, I'm worried about the security of the code:

$("#promocode").keyup(function() {
      var promocode = $(this).val();
      var countSim = $(this).val().length;
      if(countSim == 7) {
        $.ajax({
            type: "GET", //метод запроса, можно POST можно GET (если опустить, то по умолчанию GET)
            url: "page/basket/checkPromocode.php",
            data: {sendpromocode:promocode}, //отправим данные, если нужно
            success: function(data) {  //функция выполняется при удачном заверщение
            if($.parseJSON(data).error != 'Промо - код не принят!') {
              $('#errorStyle').attr('style', 'padding: 0px 0px 20px 0px;border: 2px solid #8BC34A;border-radius: 10px;box-shadow: 0 0 8px #8BC34A;background-color: #dbf7bb;');
              $('#loadPromoError').html('Скидка по промо - коду');
              $('#loadsumPromo').show('slow');
              $('#sumSkdPromo').show('slow')
              $('#sumSkdPromo').html($.parseJSON(data).skdsum);
              $('#totalPrice').attr('style', 'text-decoration: line-through;font-size: 12pt;');
              $('#totalPricePromocode').show('slow');
              $('#totalPricePromocode').html($.parseJSON(data).strNewSum);
            } else {
              $('#errorStyle').attr('style', 'padding: 0px 0px 20px 0px;border-radius: 10px;border: 2px solid #e07575;box-shadow: 0 0 8px #e07575;background-color: #ffdada;');
              $('#loadsumPromo').show('slow');
              $('#sumSkdPromo').hide();
              $('#loadPromoError').html($.parseJSON(data).error);
            }
            }
        });
      } else {
        $('#loadsumPromo').hide();
        $('#sumSkdPromo').hide();
        $('#totalPricePromocode').hide();
        $('#totalPrice').removeAttr('style', 'text-decoration: line-through;font-size: 12pt;');
      }
    });

The code is certainly not perfect, but what is there :) The question is, can an attacker somehow mischief using this code? The page with the script itself is protected against rebounds, frequent hits, of course, magical strip_tags... Thanks for the answers and suggestions on the code :)

Answer the question

In order to leave comments, you need to log in

1 answer(s)
X
xmoonlight, 2016-11-27
@SmoKE_xD

At least - you need a backend code: page/basket/checkPromocode.php
If you check $_GET['sendpromocode'] via regex,
for example (code length is always 8 characters): /[a-z0-9]{8}/ithen you can say that everything is safe.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question