G
G
good_beginer2018-11-21 11:30:51
AJAX
good_beginer, 2018-11-21 11:30:51

What is the risk of ajax requests to the server?

I came across this kind of sending data from a form to the server, it works fine, but immediately a question arose about security. Is it worth it to become paranoid with such requests and generate secret tokens, check key matches, etc.
app.js

var servResponse = document.querySelector('#returned');
    document.forms.myform.onsubmit = function(e){
      event.preventDefault();

      var testInput = document.forms.myform.myForm_input.value;
      testInput = encodeURIComponent(testInput);
      var xmlca = new XMLHttpRequest();

      xmlca.open('POST', 'controller.php');

      xmlca.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

      xmlca.onreadystatechange = function(){
        if(xmlca.readyState === 4 && xmlca.status === 200){
          servResponse.textContent = xmlca.responseText;
        }
      }
      xmlca.send('myForm_input=' + testInput);
    };

view.html
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
  
  <title>Document</title>
</head>
<body>
  
  <div id="returned"></div>

  <form name="myform" >
    <input type="text" name="myForm_input">
    <input type="submit" name="myForm_submit" value="submit">
  </form>
<script type="text/javascript" src="app.js"></script>
</body>
</html>

controller.php
<?php
$info = $_POST['myForm_input'];

switch ($info) {
  case '1':
      echo 'this is 1';
    break;
  case '2':
      echo "this is 2";
    break;
  default:
      echo "is not nubber";
    break;
  }
?>

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Anton Neverov, 2018-11-21
@TTATPuOT

The request is simple, the logic there is 2 kopecks. Moreover, no secret data is output as a result.
It makes sense to save sessions, authorization keys, etc. only in the case of either complex and demanding logic, or trite for those requests that return non-public data. For everything else - no, an extra load.

D
Dima Pautov, 2018-11-21
@bootd

And what really bothered you here? What is wrong in this code? Normal ajax request, normal form. What's wrong here?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question