• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

ajax <-> database safety

Engaged ,
Nov 12, 2015 Nov 12, 2015

Copy link to clipboard

Copied

I am planning to build a site generator which will be based on jquery and less. What I have in mind is a highly extendible system and an admin area based on ajax.

The admin can adjust colors, forms, menus, build pages ad and configure widgets in the page etc. etc The backbone of the application will be a database.

To make it really extensible I want to add the possibility that the admin can make database tables and add forms for these tables. All forms in the site will be ajax driven.

Now there is a thing about safety, with standard forms this will not be an issue, the thing is the dynamic created forms, there are several ways to implement a system like that.

One way I can think of is that a dynamic created form sends the table name in an ajax call. But here is where I have some doubt. Allthough the database should allways be protected with a password etc. etc. my policy towards safety is give as less information away as possible about the server, it doesn't take rocket sience to read an ajax request to the server. So if I implement it in that way users can easily see what tables exactly are being updated.if they inspect the traffic from and to the server. What do you think, is this a thing I should avoid?

Views

582

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Guru , Nov 12, 2015 Nov 12, 2015

It isn't clear to me why you would need to create a new table for every form. A single table could hold all form questions, but questions sharing an id number would all belong to the same form. Responses to the forms would all go into a different table.

Only the adminsitrator with the highest permissions can create tables.

I still wouldn't let them do it.

Just think what your database will look like after a couple of years. It may be full of tables with cryptic names that no longer serve any pur

...

Votes

Translate

Translate
Community Expert ,
Nov 12, 2015 Nov 12, 2015

Copy link to clipboard

Copied

Mijnheer Biesheuvel,

I noticed that you also posed the question in the Coldfusion forum. That is a good idea as this forum concentrates more on front-end coding. You may also like to try the Coding Corner, a brand new forum populated by persons that would love to discuss the problems.

Wappler, the only real Dreamweaver alternative.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guru ,
Nov 12, 2015 Nov 12, 2015

Copy link to clipboard

Copied

Ben is right that the coding forum is the better place to post this, but a lot of coding questions come through the DW forum, too.

With a backend language like PHP or Coldfusion you could avoid the security risks of AJAX, but there are other issues here as well.

I would never allow clients to define tables and column names in the database. Period. Never. So much could go wrong. They could use reserved words and special characters that would break the table and may seriously damage the database. You could, in theory, write code to catch all the potential problems, but I would still never go down that road.

I have created a form editor that allows clients to build up a form. They pick the input labels and the type of input (radio, checkbox, text, textarea, select) but they don't name the columns, and all the forms are records in a table I have prepared. When the forms are used, the form responses all get generically sanitized with PHP code before going into the database.

I don't use ajax at all for this. Just PHP.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Nov 12, 2015 Nov 12, 2015

Copy link to clipboard

Copied

I have moved your discussion to the Coding Corner just so that it is in a place where users with similar questions can access it.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Nov 12, 2015 Nov 12, 2015

Copy link to clipboard

Copied

Thanks, it was a long time a go since I used the dreamweaver forum, in the future I will ask these sort of questions here!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Nov 12, 2015 Nov 12, 2015

Copy link to clipboard

Copied

I'd double that vote never to let a person have any control over the database, your business logic squarely handles all of that. You can always make them feel like they control it (table name, columns, etc) but in your back end you should just be storing those as extra table strings that only mean something to the user, not anything that correlates to anything about the actual table.

You're right to be cautious about any hints you leave in your front end about your back end. If they can read it, they will, it's a hole. Serialization, encoding, encrypting and such won't help here easier because the front end will need to know how to utilize it and therefore any developer can use that to tokenize, decode and decrypt.

Your front end should just manage the users experience and ability to work with the data, but that's where it should stop. The back end needs to sanitize everything to a fitting level.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Nov 12, 2015 Nov 12, 2015

Copy link to clipboard

Copied

No, I think I was not clear enough, my excuses.

Off course that a client can never ever define a table in a database, this function will be only for the administrator in the admin session. Also there will be different administrator roles with different permissions. Only the adminsitrator with the highest permissions can create tables. That way only the highest admin can design a table and create a form for it. I think this would be useful tool once the cms is active and there could be an unforeseen need for collecting data like a questionnaire (or something like that).

Only the form will be visible for the clients, like any other form, with client side validation and  on the server  side also validation. I use ajax forms with clientside validation to post data, but server side validation will not be neglected, since everything form clientside can be easilly manipulated by the wrong people. You don't have to be a genius to send data over the internet, so never never server side is going to be neglected.

The only thing that could be visible is the table name, not on screen, but only in the ajax post data. That is all  what they see, but as we all know, it doesn't take rocket science to read this data.

As I can think of now, this would be the most straigtforward way of creating modules and forms 'on the fly', but it worries me that the client can see the table name because I like everything on server side to be obscured as it can be.  On the other hand, many opensource cms / blog etc. have the same 'problem', maybe not in the traffic, but everybody that ever downloaded a opensource cms/blog knows al the table names. And I bet that hackers with the wron intentions studied these packages very well.

So on one hand how bad can it be as an user know a certain table name if everything else is obscured, or should I be less lazy in designing an imlementation?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guru ,
Nov 12, 2015 Nov 12, 2015

Copy link to clipboard

Copied

It isn't clear to me why you would need to create a new table for every form. A single table could hold all form questions, but questions sharing an id number would all belong to the same form. Responses to the forms would all go into a different table.

Only the adminsitrator with the highest permissions can create tables.

I still wouldn't let them do it.

Just think what your database will look like after a couple of years. It may be full of tables with cryptic names that no longer serve any purpose. A big mess.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Nov 12, 2015 Nov 12, 2015

Copy link to clipboard

Copied

LATEST

Rob Hecker2 schreef:

Just think what your database will look like after a couple of years. It may be full of tables with cryptic names that no longer serve any purpose. A big mess.

Yeah I think your right, that's also a concern I should take seriously when planning the project, maintenance would be a disaster. I want to design, a site building generator it's my idea to safe me lots of time and give my customers an easy configurable site. With less/jquery coupled on a database I want to build a site generator where you can build pages and easily configure al sorts of widgets like slideshows etc. etc. without any coding. The problem is allways that many customers use CMS or blog software that does the job very well, but numerous time I find myself building in special widgets etc. etc. That's time loss for the customer and my time.

Cluttering a database would indeed be the opposite of my goals,thank you for pointing this out. As you design and develop things you know how to maintain a site, but many of my customers don't have the time to be a computer geek, that's not because there stupid, but for them its just a tool to run there businesses. So I have to take that in consideration.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines