Stut wrote:
Validation, validation, validation. The big danger with doing anything
on the client-side is that it's all to easy to fall into blindly
trusting what the client is giving you, even the smallest assumption
can create a big hole in your app.
Don't assume events will happen the way you expect them to. Don't
assume users won't be able to make requests just because your logic
*should not* allow it.
In short, don't treat it any different to any other web application.
There is no difference, you still need to do all the validation on
every request whether it's AJAX or not.
Beyond data validation, the thing that *really* bothers me about
AJAX/JSON, etc is functions that can read or even modify data. Until
recently, AJAX frameworks didn't do much verification on the source of
the request, so If you happened to be logged to some private/sensitive
site, a 3rd party site in another tab/window could call your AJAX
functions and glean whatever data from the responses, or even modify
data. (e.g. ajax_getUsers(), or ajax_launchAllNukesNowNowNow()!)
I think all the major frameworks added protection against this, but
home-brewed or out-of-date AJAX/JSON framework users beware!
jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
