PDA

View Full Version : Ajax Security Question



Falkon303
10-15-2009, 05:03 PM
So,

I've made an Ajax request page that calls itself. I utilized the Prototype "serialize" function to pass all of my form variables as well in this example, and so it's very efficient. My question is that of security, and if there is perhaps a higher probability of injection *if the file is calling itself rather than an external file*, and if so - why? Any insight on this method would be appreciated, as I find it very useful. Here's the code.

- Best



<?
// THIS GOES RIGHT BEFORE THE DOCTYPE TAG //
if ($_POST['indreq']){echo "regresponse[target]Request Recieved:".$_POST['indreq'];}
?>



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Ajax</title>

<script src="scripts/prototype.js" type="text/javascript"></script>
<script src="scripts/unittest.js" type="text/javascript"></script>
<script src="scripts/scriptaculous.js" type="text/javascript"></script>
<script type="text/javascript">
window.onload = startfunctions;
function startfunctions()
{$('send').onclick = function() {request();}}
function request()
{new Ajax.Request('index.php', { method: 'post', parameters: { indreq: $('form1').serialize()}, onSuccess: function(p)
{target = p.responseText.split("[target]");$(target[0]).update(target[1]);}})}
</script>
<style type="text/css">
label {font-size:11px;color:#333333;font-family:Arial, Helvetica, sans-serif;}
input[type=text]{border:1px solid #333333;font-size:11px;color:#333333;font-family:Arial, Helvetica, sans-serif;}
input[type=password]{border:1px solid #333333;font-size:11px;color:#333333;font-family:Arial, Helvetica, sans-serif;}
input[type=button]{border:1px solid #333333;font-size:11px;color:#333333;font-family:Arial, Helvetica, sans-serif;background-color:#ffffff;}
#regresponse{color:#003300;font-size:11px;font-family:Arial, Helvetica, sans-serif;}
#error{float:left;height:200px;padding:20px;color:#003300;}
</style>
</head>
<body>
<form id="form1" name="form1" style="width:150px;">
<label>email address:<input type="text" name="email_address" id="email_address" /></label>
<label>desired password:<input type="password" name="password" id="password" /></label>
<label>repeat password:<input type="password" name="password2" id="password2" /></label>
<p><input type="button" name="send" id="send" value="Register" /></p>
</form>
<div id="regresponse" name="regresponse"></div>
</body>
</html>