This function is viewable in the browser. I’m worried someone could somehow access the folder and manipulate the db. Can I keep this open in the frontend or do I need to secure it in the backend?
function fetchTotalLessons() {
var xhr = new XMLHttpRequest();
var params = 'getTotal=' + encodeURIComponent('true');
xhr.open('GET', '../includes/fetchLessonPlans.php?' + params, true);
xhr.onload = function() {
if (xhr.status === 200) {
totalLessons = parseInt(xhr.responseText);
totalPages = Math.ceil(totalLessons / lessonsPerPage);
generatePaginationButtons();
}
};
xhr.send();
}
I’m new to GET requests so just not sure if it’s safe to have the URL so visible in the elements tab
2
Answers
It’s very simple: don’t trust the client or anything that comes from them. Even if the JS file is encrypted, the request will be sent to the server through the client’s browser, so they can easily edit or manipulate the request. The concept is straightforward: just be aware in the backend that the request is not trusted and take the necessary actions. These actions include validation (such as expecting the received value to be a number only), using prepared statements in SQL, sanitization, authentication, authorization, rate limiting and throttling, and verifying that the received data is valid, correct, and reliable
this code is and javascript code, so its run in front end. so you cant hide it but i strongly suggest you add Negetive option index to your .htaccess file.
in this way if hacker want see directory
../includes/
server will response with 403 status code.add this code to htaccess