I've got a specific situation within which I'd like some security advice. Essentially my real question is "Basically control what's inside a database (no user posted data), it is possible to security concern to coming back the outcomes of the database query in HTML (via AJAX)"?
Here's the procedure that's happening:
- daily build creates an XML doc
- My server retrieves this XML doc, parses it (with PHP) and makes its way into it right into a database.
- User would go to site, the AJAX request is distributed (parameters include quantity of leads to return, how you can sort, along with a search phrase if required)
- PHP script queries the database coming back the outcomes towards the AJAX callback
- AJAX callback inserts the end result in to the page for viewing
Pretty standard stuff...
More background: I personally use prepared SQL claims, to ensure that limits the consumer provided search query and then any URL tampering to produce a random query. The XML file is alphanumeric only, no code. Why I wish to return HTML would be to limit client-side work whenever possible, with HTML, you shouldn't have to fuss with JS to create the page (except to make use of jQuery to inject the html block).
Any recommendations for me?
Thanks ahead of time.
PS - this really is still within the planning stage, so there is no real code to exhibit.
As lengthy while you control the input 100%, there's hardly any chance of injection or XSS attacks. Any attacks that may occur for example changing a part of or inserting in to the response within the wire, happens regardless of what safety measures you've in position.
Just keep the database secure.
Seems like you are doing pretty standard stuff. Many individuals uses AJAH (HTML rather of XML or JSON) for the similar reasons you pointed out.
Possible spot for XSS is that if you display search phrases in ajax response.