Page 1 of 1

JS creating search-output page, preventing hijacking

Posted: Thu Nov 18, 2004 4:42 am
by Calimero
I want to use JS to create my Search results / output page.

Technologies involved are Apache 1...., MySQL 4.0.18, PHP 5 (I think) and JavaScript

PHP is used to query the DB's and return the values that are sent as variables to JavaScript for array creation (out of them) and page creation, pagination .....

Because the JavaScipt is Client Side, can someone hijack this in a way to get php variables from the server and use them in their own search results creation - So they don't need their own search engine, but they can "steal" data from my DB, they just link to input page, and take var's on DB query finish.

This came as an idea - security problem, can this be realy done or am I just being paranoid. ( asking to know whether I need to create output page on the server and send it "completed" trough the web, or is this method safe enough)

Note - I'm relatively new to JS, so my knowledge is small but developing.
:)

Posted: Thu Nov 25, 2004 5:26 pm
by rehfeld
curious though. why would you want to create the result html client side?

i mean, i see the benefit of small result pages to the browser to increase download speed etc.... but gzip does a superb job at reducing the size of documents which have a lot fo repetative info(like <tr> and <td> etc...) which seems like what your trying to reduce.



while yes they could easily "steal" your results, but they could do that no matter what. if they didnt steal it in javascript form, then they could just parse your html and get it anyway. it might take them a bit more time, but not much....someone who is somewhat familiar w/ regex could prob write the code to do it in under 30min.


theres lots of ways to make it "harder" for people to steal your results, but the fact remains: if the browser can display it, it can be stolen.

if you still wanna do it w/ js, you might find XMLHTTP usefull for this. its pretty cool.