Important data can be modified from the developer console. What should I do?
Most of the details in your question are irrelevant. That the ID is stored in a HTML id attribute, the developer tools, that you are using jQuery... None of that really matters.
The only thing that matters is that you have an endpoint on your server called insert.php
. An attacker can send any request they want to that endpoint, regardless of what your client code looks like. Protections against people trying to do things that they are not allowed to do must be at the server, and not the client.
So look at your PHP code. Does it verify that the input is in the expected format? Does it check that the user has the right to edit the particular todo list? If not, fix it. And remember, your validation and authorization checks must be performed on the server to have any security value.
Specifically, if users should only be allowed to edit todos that they own you need to do the following in insert.php
:
- Query the database to get the owner of the todo that is being modified.
- Get the id for the user making the request.
- Check that they are the same, and deny if they are not.
The AJAX related stuff you described doesn't really matter, you should have no trust of the client (browser) and rather, the insert.php script should validate the information.
You need to consider what you are validating - in a case of a todo list, just make sure that the ID they sent, they have the relevant permissions to modify/etc. If anyone does manually send requests to your insert.php script, it should be resilient against whatever it is you need it to be (whether that is, whether it belongs to them/they should have permission to edit it/whether the todo list item is locked/etc).
You should under no circumstances trust the data that the client/browser is sending you and validate everything serverside. You may also want to consider then rather than having an insert.php script which seems to just insert a JSON object, you could create an API for your AJAX requests rather than just inserting JSON objects without validating anything about it.