js and php intertwine

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
thegreatone2176
Forum Contributor
Posts: 102
Joined: Sun Jul 11, 2004 1:27 pm

js and php intertwine

Post by thegreatone2176 »

I dont think this is the right spot for this but it is theory so here it goes

I been hearing some stuff and have seen a few pages talking about developers trying to get js and php to run more closely and i think this is a bad idea for security reasons. Imagine if js was developed to use and/or read php variables. That would mean any type of xss attack could read variables and output them to the attacker and the admin would not have much of a chance of noticing it. Also for big open source projects where all variables can easily be looked up by checking the souce this could be a huge problem for example an attacker could document.write($DbPassword) and have the mysql details of the site.

Also if developers used php variables in javascript and someone edited the html source there could be all sorts of manipulation problems/authentication bypasses and more problems of gaining passwords and usernames.

Has anyone else been hearing/seeing about these two languages merging more closely and/or thought of the security consequences of such an action.
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

One link:
Sitepoint Article

I seem to remember seeing another link somewhere on these forums the other day but cannot remember where unfortunately. Security with this kind of processing is a potential problem at the moment.
User avatar
phpScott
DevNet Resident
Posts: 1206
Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.

Post by phpScott »

the 2 technologies I think are called ajax (AJAX or Asynchronous JavaScript and XML)
and sajax (Sajax makes it easy to call PHP functions from your webpages via JavaScript
without performing a browser refresh)

done a similar thing using IFRAMES and the js dom.
Post Reply