Is it safe to use data from a div id in a MYSQL statement?_问答_开发者

Is it safe to use data from a div id in a MYSQL statement?

开发者 https://www.devze.com 2023-03-20 04:00 出处：网络

I\'m working on a very simple 1 tiered commenting system using Jquery/Ajax/PHP/MYSQL.The page initially displays a main comment which users may post replies to.

相关专题：jquery

I'm working on a very simple 1 tiered commenting system using Jquery/Ajax/PHP/MYSQL. The page initially displays a main comment which users may post replies to.

<div id="com100">Parent Comment</div>

I was advised to use the parent comment's div id value, com100, as a parent ID in a MYSQL INSERT statement for each corresponding reply.

M开发者_开发百科y question: is this safe? Can't the div's id value be changed by any user? Potentially inserting replies associated with the wrong comment, or worse?

Data is being validated and bindParam are being used. I'm more concerned with replies being stored under the wrong parent comment. Any advice is appreciated.

The main question, really is how that div ID is passed to the back end. Presumably, with the technology you're using, you're going to grab the ID using Javascript/jQuery and then send it to the server, using a standard POST request. In this case, it's the POST request that is vulnerable. Someone will be able to read your code, see how the data is POSTed to the server, and then fake the same call with a different ID.

Up to that point, on the client side, you're normally fine to rely on the IDs of the DIVs -- grab them without validation using your jQuery, assume they're the right, server-generated values, and so on. The validation of the ID should be done at the server end, after the POST has come in. Does the ID make sense? Does that comment exist? Is the authenticated user allowed to post a comment under that parent ID, etc.

So, don't worry about people changing the DIVs ID in the document, because that's just a complicated and unlikely way of doing what could be done with a faked POST request anyway. But do validate your data server-side, once the POST comes in.

Fundamentally, it doesn't matter how much validation you do on the client side, as an attacker doesn't have to use any of your code to fake a POST request. They just need to know the URL you're POSTing to and the names of the POST variables, which will always be easily available to them through reading your code or simply intercepting your valid POST requests. You can validate on the client side for genuine user mistakes, or even for mistakes in your own code, but you should validate on the server side for security and data integrity.

is this safe?

Depends on what you call safe.

You can never ever trust user input. User can always change the value of 'parent comment'.

You need to make sure that the user is allowed to post a comment with that parent comment on the server side.

It seems an exceptionally stupid idea to me to mix display attributes with database attributes. There is no guarantee anywhere that they will always be in sync.