Thanks all. The information is not that sensitive, but in the least, such a measure is important to prevent a DoS attack as Khalid mentioned. Yet even if user data is not that sensitive, it's still inappropriate to allow someone to just run off knowing most of the registered users on a site. This could be a first phase for performing a more elaborate and targeted attack on a site. David, how could using a captcha help here? By storing the result in a session variable and expecting it back with the AJAX call? How can we change the captcha on the next call without refreshing the page? I haven't really used captcha's before, so apologies if these questions are invalid in this context. What is evident here is that any full client side solution is bound to fail as it is easily manipulated by the client. Thanks. On 5/8/07, Khalid Baheyeldin <kb@2bits.com> wrote:
On 5/7/07, David Metzler <metzlerd@metzlerd.com> wrote:
True enough, but that being said, there's not a fundamental difference between having an ajax script call a php page that checks to see if a username has been taken, and having a a web form perform the same validation. So don't assume that Ajax is the problem here, just realize that it doesn't provide any additional security either.
The difference is that in AJAX (as most commonly used), if you type "aa", then all the users with names beginning with Aa will show up for you, then
you do "Ab", and get a list, then "Ac", ...etc.
This does not happen in a normal not AJAXified form. All you can get is whether the full name you chose exists or not.
Ashraf,
If this data is sensitive, then just don't reveal it. Also, check that there is sufficient delay before retrieving results, so as not to get DoS attacks by asking for the data too quickly, overloading the database.