I send a ajax request with this function:

function myFunc(x)
{
    $.ajax({
        url: retrive.php,
        type:     'POST',
        data:     'data=' + x,
        success:  callback
    });
}

I call the function with a integer parameter.for example:

myFunc(20);
myFunc(25);

can a hacker change the parameters of myFunc() ?
If he can, How to prevent change value?
What is the best way to send secure parameter?

** EDIT: **

My javascript codes have a variable called Score.
This variable is incremented by one:

if(condition)
{
    Score++;
}

When the game is over, I send variable with Ajax.
And this variable with the game code is stored in the database.

if(game_over)
{
    myFunc(20, Score); // game code, score
}

But this values can be changed by a user.(by console of chrome and firebug)
1. What is the solution?
2. What is the name of this type of attack? Is Xss?

I send a ajax request with this function:

function myFunc(x)
{
    $.ajax({
        url: retrive.php,
        type:     'POST',
        data:     'data=' + x,
        success:  callback
    });
}

I call the function with a integer parameter.for example:

myFunc(20);
myFunc(25);

can a hacker change the parameters of myFunc() ?
If he can, How to prevent change value?
What is the best way to send secure parameter?

** EDIT: **

My javascript codes have a variable called Score.
This variable is incremented by one:

if(condition)
{
    Score++;
}

When the game is over, I send variable with Ajax.
And this variable with the game code is stored in the database.

if(game_over)
{
    myFunc(20, Score); // game code, score
}

But this values can be changed by a user.(by console of chrome and firebug)
1. What is the solution?
2. What is the name of this type of attack? Is Xss?

• javascript
• php
• jquery
• code-injection

Share Improve this question Follow edited Apr 7, 2015 at 16:35 Mohsen Movahed asked Apr 7, 2015 at 6:42 Mohsen MovahedMohsen Movahed 49655 silver badges2424 bronze badges 2

• You must user server side validations for this.. because parameters can always be changed before reaching the server. – Brijesh Bhatt Commented Apr 7, 2015 at 6:44
• Don't worry about client-side code, it's not secured by definition. Make sure your backend is bullet-proof. – dfsq Commented Apr 7, 2015 at 6:45

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 3

Yes, a hacker sure can, and easily too. For example, by using Chrome Developer tools, one can inject or modify your script. As a motivating example, I routinely do this when I order a pizza to have it delivered a little faster ;)

So, you should not rely on JavaScript authentication. Instead, have your server verify or reject the parameters, or use some sort of challenge/accept system between the server and the JavaScript.

Here are some more ideas you can try: Ajax post request security

Can a hacker change the parameters of myFunc() ?

Yes he can.

If he can, How to prevent change value?

You can't prevent it but you can verify the parameters within server side code.

What is the best way to send secure parameter?

What you can do is you can use mcrypt_encrypt() function for encrypting your string or data and while receiving data you can use mcrypt-decrypt() function else you can use your other encoding ways of PHP

You can check PHP mcrypt - Complete encryption and decryption of data

It is the same as to send params via POST or GET over HTML form. Its impossible secure it. You can only use some encrypt method but it is not much secured because on server side you need decrypt it. And in final of this solution, its impossible to encrypt it at 100% secured.