3

I want to user jquery ajax calls, for example;

function addnewteacher(){
      $.ajax({
          type: "POST",
          url: "/actions/dboss/newteacher.php",
          data: "uname=" + $("#newteacheruname").val() + "&upass=" + $("#newteacherupass").val() + "&name=" + document.getElementById("newteachername").value + "&surname=" + document.getElementById("newteachersurname").value + "&mobile=" + document.getElementById("newteachermobile").value + "&email=" + document.getElementById("newteacheremail").value,
          success: function(html){
              $("#response").html(html);
              $("#response").dialog("open");
          }
      });
  }

As you can see, i have to give away the data part to end user. But i want to encrypt it with a hidden function then decrypt it on server so probably no one can send and malicious code to server just because that code wont make any sense after decryption if not properly encrypted. But i have to hide the function from user or make the function work only for me?

Thanks for any help/idea

Improve this question
4
  • 1
    Since you are using jQuery, you can replace calls like document.getElementById("newteachername").value with $("#newteachername").val() Commented May 2, 2011 at 21:14
  • 3
    No matter how much you obfuscate it, anyone with firebug could still see the form post. Commented May 2, 2011 at 21:14
  • Btw, you should chain your code: $("#response").dialog("open"); because right now, you're making it search twice for #response (same for #newteacherupass but you'll have to store it in a variable as you can't chain). Commented May 2, 2011 at 21:20
  • Encryption should be used to prevent eavesdropping, and should not be used to check the provenance of data. That's what signing is for: en.wikipedia.org/wiki/Digital_signature . If you want the server to be able to check that a message comes from a trusted client, then you need to sign, not encrypt. Commented May 3, 2011 at 13:06

6 Answers 6

Reset to default
17

You cannot hide JavaScript code. It gets downloaded to the client and executed there. You can obfuscate it, push it way deep inside, whatever you want, but a determined user can still find it. Your security really needs to be on the server, where you have complete control, not on the client, where you have no control at all.

Make sure calls to /actions/dboss/newteacher.php are authorized and verify they are coming from valid sources on the server. Security through obscurity is not security.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

+1 for right and complete answer the first time rather than posting something short first and editing within the window. :)
5

No. You can obfuscate them by minifying the code and that sort of thing, but you should never ever assume that your javascript is unreadable.

You need to validate and sanitize any user-submitted data on the server end.

Improve this answer

Comments

1

No, sorry that's not possible. Everything you put in javascript will eventually be visible to the user. No matter how hard you try to minify/obfuscate the code, suffice to install FireBug and the password will popout at user eyes like a balloon.

Improve this answer

Comments

1

Everything JavaScript does can be done by a user. Even if you think noone will even understand you code, he doesn't have to. He can just execute it and see what it gives. JavaScript should only be used as a way to make the UI more convenient, not to secure anything. Basically, what you want to is not to write a password in the JavaScript and check it in here when the user types it but you want to send the password written to the server that either says "yes" or "no". If you check a form with JavaScript, you have to recheck it on the server-side because JavaScript could be disabled and so on. JavaScript on its own isn't secured (as client-side language of course).

Improve this answer

Comments

0

You can use something like Google Closure to obfuscate the Javascript code, but I'd really look into why you need to hide this in the first place since they will be messing up their own data. As long as you don't rely on the data being valid for server side functionality (such as injecting the input directly into SQL) you should be ok.

Improve this answer

Comments

0

You should be trying to hide keys, not the function that signs the content.

I've seen a number of JS systems that do something like this:

<script>// Runs first
(function () {
  // Look for a key in the URL like 'http://mysite.com/my/path?my=params#;key=abcd...
  var key = document.location.hash.match(/;key=([^;]+)/)[0];
  // Make sure other code on the page can't retrieve the key.
  // This is analagous to a program zeroing out its argv to prevent
  // key retrieval via /proc.
  document.location = "#";  // Does not cause reload.

  // define signature algo and export to whatever scope is appropriate.
  ...
})();
</script>

Obviously, this only works with single-use keys.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.