Forum

November 2nd, 2014
A A A
Avatar

Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

The forums are currently locked and only available for read only access
sp_Feed Topic RSS sp_TopicIcon
Security of jqGrid
27/04/2009
18:27
Avatar
jqgridfan
New Member
Members
Forum Posts: 2
Member Since:
28/04/2009
sp_UserOfflineSmall Offline

Hi everyone,

Sorry for 2nd post if my 1st appears - my browser crashed.

Thanks for this incredible plugin - really standouts from the others my team has reviewed. We are keen to implement it across our entire application!

But we are ignorant regarding the security implications of this plugin. URLs, data, and table structure (eg fields) appear visible, and we are not sure if this is bad if only the current signed in user in our application can access this. Are they only ones who could? Mtm attacks, SSL encryption, etc aside, we wonder if there is any best practice for secure use of this plugin.

Please comment or refer us to any documentation or third party web sites that can help us tighten the security for our integration of this plugin.

Regards,

jqGridfan

30/04/2009
02:22
Avatar
tony
Sofia, Bulgaria
Moderator
Members

Moderators
Forum Posts: 7721
Member Since:
30/10/2007
sp_UserOfflineSmall Offline

Hello,

Thanks for pointing this.

This can be a long discussion. Shortly: jqGrid is so secure as jQuery is - I mean jqGrid uses ajax calls to obtain the data from web. This is the "hidden" part. The data from the server then is manipulated and represented at user - i.e jqGrid represent a tabular data. If you use another grid component (Dojo, Yahoo and etc) the things are the same. The data that you provide is at the user machine and you can not secure it since you want this data to be seen from the user. There is no sense (and you can not) secure the data at user machine. In the client machine user can manipulate the content in a way that they want - I mean using FireBug I can enable or disable what I want and etc. Is this bad?

The answer is - yes it is bad if you do not have sercuring procedures at server. If you have strong securing procedures at server you should not care about the data at the user machine.

The real securing IMHO should be done at server. Typically in my applications I check for every request:

1. If the user is logged in the system

2. compare the password from this user to one stored in my database (encrypted)

3. Does the user have the right for this page.

4. If the user has this right what actions are allowed for this user.

5. Check the parameters that are passed from user

6. At end write the sql so that no SQL injection can be done (typical I use prepared statements)

This of course slow down the speed, but let me say slow speed higger security is better.

This is one part of this process. Of course you can use SSL, VPN and etc. You can allow only certain users to have acces to the system if you known thier IP and so on.

I think we started something that will be interested for others

Best Regards

Tony

For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.

04/05/2009
19:02
Avatar
jqgridfan
New Member
Members
Forum Posts: 2
Member Since:
28/04/2009
sp_UserOfflineSmall Offline

Thanks Tony,

You've thoroughly answered my team's questions and removed any doubt about using jqGrid securely.

We are keen to jump in and integrate this throughout our application!

Thanks,

jqGridfan

Forum Timezone: Europe/Sofia

Most Users Ever Online: 715

Currently Online:
31 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

OlegK: 1255

markw65: 179

kobruleht: 144

phicarre: 132

YamilBracho: 124

Renso: 118

Member Stats:

Guest Posters: 447

Members: 11373

Moderators: 2

Admins: 1

Forum Stats:

Groups: 1

Forums: 8

Topics: 10592

Posts: 31289

Newest Members:

, razia, Prankie, psky, praveen neelam, greg.valainis@pa-tech.com

Moderators: tony: 7721, Rumen[Trirand]: 81

Administrators: admin: 66

Comments are closed.
Privacy Policy   Terms and Conditions   Contact Information