chii chii - 6 months ago 21
Ajax Question

Is it safe to use ajax get method to load information for the site?

I have an html page and I need to load some usual information(can be seen by all people) from DB.

so I put this code in the html:

<script type="text/javascript">
$(document).ready( function() {
setTimeout( "getRate()", 100 );
});

function getRate() {
$.ajax( {
type: "GET",
url: "api.php",
dataType: "json",
data: {call: 'getRate'},
success: function(result){

//set result to the DOM element....

},
error: function(){

}
});
}
</script>


and I have a api.php file like this:

<?php

if($_SERVER['REQUEST_METHOD']=="GET") {
$function = $_GET['call'];
if($function == "getRate") {
//get result from DB

echo json_encode(result);
}
}


but my code reviewer said that when put this url in the browser directly "
https://****.com/api.php?call=getRate
", it also returned the json result,is it safe??

well there is no secret information requested by the ajax call,so
it's I think it's OK , but I'm not sure.

Is there any security risk for doing like this?

Answer

If your question is whether or AJAX itself is secure, then yes, AJAX is used all the time to exchange information between a browser and a remote API.

As for your code specifically, there doesn't seem to be a vulnerability here provided:

  1. The raw JSON response truly doesn't have any secret information
  2. The SQL query (or equivalent) used to generate the JSON isn't vulnerable to injection attacks if someone tries to craft the call: getRate param to something malicious.
  3. The AJAX call doesn't alter the state of the database
  4. The AJAX call doesn't tie up resources for anything other than a very small amount of time. For instance someone spamming https://****.com/api.php?call=getRate shouldn't bring down the site.