1

I've made an Ajax login system, which is really simple: login.php simply checks the $_POST[''] fields; if it's correct, it returns ok), by mysqli etc. I secured that part of code by my anti-SQL injection function.

Unfortunately, I don't have much experience with Javascript, and I'm concerned about the security of my approach. Is it safe enough to put if(data=='ok') in js? Could anyone change that to (data=='') in Firebug, somehow?

$.ajax({
    type: "POST",
    url: "system/login.php",
    data: dataString,
    cache: false,
    beforeSend: function(){ 
        $("#login").val('Checking...');
    },
    success: function(data){
        if(data=='ok'){
            $("#login").val('Login')
            $("#msg").html("<div class='alert alert-success' role='alert'><b>Success!</b> You have been logged successfully. </div>");
            setTimeout(function(){
                location.reload();
            }, 2000);
        }else{
            setTimeout(function(){
                $("#loginBox").effect( "shake" );
                $("#login").val('Login');
                $("#msg").html("<div class='alert alert-danger' role='alert'><b>Error!</b> Invalid username and password. </div>");}, 1000);
            }
        }
});
jub0bs
  • 60,866
  • 25
  • 183
  • 186
WinterTime
  • 173
  • 2
  • 14
  • You secure and clean on the server side, so the php side.. The JS side is the client side and can never be assumed to be safe. – Pogrindis Nov 18 '14 at 13:03
  • 2
    All that code is doing is reloading the page so assuming you have the authenticated user stored in a session/cookie it won't affect the safety of your login – JConstantine Nov 18 '14 at 13:05
  • `"I secured that part of code by my anti-sql injection funciton"` - I find myself suspect that your server-side code might not be secure. But you haven't shown it, so nobody here can know. All you've shown is client-side code, which doesn't handle authentication or authorization at all. – David Nov 18 '14 at 13:05
  • @JLevett - Is reloading page because my index is checking if someone is logged then the index is importing different style / files of server. – WinterTime Nov 18 '14 at 13:11
  • @David I've made a function escape(); its seems to be a mysql_real_escape_string. – WinterTime Nov 18 '14 at 13:13
  • @Pogrindis So what do you prefer to use ajax login and JS? Any alternative way for if(Data)? I could do that with php and headers but I just wonder how to do that in the JS. – WinterTime Nov 18 '14 at 13:13
  • 1
    @Potar: You're missing the point. Client-side code doesn't handle security, server-side code does. You're asking us if your code is secure, but aren't showing any code that manages security. No matter how much you *assure* us that your server-side code is secure (and I really, really doubt it is given this thread so far), we can't tell you that it's secure. There's no way to answer this question. – David Nov 18 '14 at 13:16
  • Please, [don't use `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php), They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://us1.php.net/pdo) or [MySQLi](http://us1.php.net/mysqli). You will also want to [Prevent SQL Injection!](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Nov 18 '14 at 13:26
  • Okay thanks guys for the answers, @JayBlanchard I'm not using mysql_* functions, I've made a alternative escape function, and Im using mysqli in my database class. – WinterTime Nov 18 '14 at 13:30
  • Cool - the way that your comment read above it appeared that you were using the `mysql_*` functions. – Jay Blanchard Nov 18 '14 at 13:35

2 Answers2

1

Your code is only reloading page. So if you have fixed any server side not-authorized login holes, than you are fine.
Any input from user is considered unsafe and must be validated server-side. So your jQuery code is unsafe for hacks because it's exposed to user and he can write his own function and try to login (but will not pass server-side validation). But it does not matter for you.

Justinas
  • 41,402
  • 5
  • 66
  • 96
  • True, its reloading page again, because my index is checking if someone is logged, if someone is logged then the php file is importing different fiels, function logged is checking username and password. Basicly, even if someone change that data!='ok' then it will refresh but the login.php file won't set any session and cookies. – WinterTime Nov 18 '14 at 13:18
-6

I say its not secure. I would just open the Dev-Tools of Chrome and in place edit your script. I would change

if(data=='ok')

to

if(data != 'ok')

and then do a right-click -> 'Save' -> Close the 'Save as' Dialog by hitting cancel. And thats it, I have a running script in the browser now that will evaluate to 'Login ok' if the server responds something different than 'ok'.

erg
  • 1,632
  • 1
  • 11
  • 23
  • And what can you do with this running script in the browser? What security have you broken? – David Nov 18 '14 at 13:07
  • 2
    It is true that a malicious user could change the Javascript to execute the `data == 'ok'` block incorrectly. But so what? All you've achieved is displaying a 'success' message. If the server didn't approve the login, then the user still won't be authenticated when the page reloads. **If** the server-side code is secure, then there is nothing wrong with OP's code. – Shai Nov 18 '14 at 13:10
  • I know that, thats why I've made that question to be fair. – WinterTime Nov 18 '14 at 13:14
  • You are right, forget what I have written. Can I downvote myself? :P – erg Nov 19 '14 at 10:27