Quote:
Originally Posted by falsepride
using $_GET directly in my query won't be a problem in this case. this page is only going to be accessed from a javascript xmlhttprequest. the javascript will limit what column names get put into the queries.
|
I hate to poke holes in your logic, but one of the easiest things a malicious user can do is simply view your page source and understand how the script accepts values, bypass JavaScript altogether and create their own form to send data directly to your PHP script. It's also as easy as a couple of mouse clicks to disable JavaScript in the browser.
You should
always double up on filtering data; using JavaScript to do it up front is great, it can save time on multiple page requests kicking back to the user until they give you what you expect. BUT, if the user disables it (either because
they look at it from the viewpoint of their own security, or do it specifically to bypass your checks) you have to have a backup in the server side code to perform the same task. At the most, all that happens is the data is checked twice.