jQuery Grid Plugin - jqGridForum

Topic RSS

Security of jqGrid

27/04/2009
18:27

jqgridfan

New Member

Members

Forum Posts: 2

Member Since:
28/04/2009

Offline

Hi everyone,

Sorry for 2nd post if my 1st appears - my browser crashed.

Thanks for this incredible plugin - really standouts from the others my team has reviewed. We are keen to implement it across our entire application!

But we are ignorant regarding the security implications of this plugin. URLs, data, and table structure (eg fields) appear visible, and we are not sure if this is bad if only the current signed in user in our application can access this. Are they only ones who could? Mtm attacks, SSL encryption, etc aside, we wonder if there is any best practice for secure use of this plugin.

Please comment or refer us to any documentation or third party web sites that can help us tighten the security for our integration of this plugin.

Regards,

jqGridfan

30/04/2009
02:22

tony

Sofia, Bulgaria

Moderator

Members

Moderators

Forum Posts: 7721

Member Since:
30/10/2007

Offline

Hello,

Thanks for pointing this.

This can be a long discussion. Shortly: jqGrid is so secure as jQuery is - I mean jqGrid uses ajax calls to obtain the data from web. This is the "hidden" part. The data from the server then is manipulated and represented at user - i.e jqGrid represent a tabular data. If you use another grid component (Dojo, Yahoo and etc) the things are the same. The data that you provide is at the user machine and you can not secure it since you want this data to be seen from the user. There is no sense (and you can not) secure the data at user machine. In the client machine user can manipulate the content in a way that they want - I mean using FireBug I can enable or disable what I want and etc. Is this bad?

The answer is - yes it is bad if you do not have sercuring procedures at server. If you have strong securing procedures at server you should not care about the data at the user machine.

The real securing IMHO should be done at server. Typically in my applications I check for every request:

1. If the user is logged in the system

2. compare the password from this user to one stored in my database (encrypted)

3. Does the user have the right for this page.

4. If the user has this right what actions are allowed for this user.

5. Check the parameters that are passed from user

6. At end write the sql so that no SQL injection can be done (typical I use prepared statements)

This of course slow down the speed, but let me say slow speed higger security is better.

This is one part of this process. Of course you can use SSL, VPN and etc. You can allow only certain users to have acces to the system if you known thier IP and so on.

I think we started something that will be interested for others

Best Regards

Tony

For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.

04/05/2009
19:02

jqgridfan

New Member

Members

Forum Posts: 2

Member Since:
28/04/2009

Offline

Thanks Tony,

You've thoroughly answered my team's questions and removed any doubt about using jqGrid securely.

We are keen to jump in and integrate this throughout our application!

Thanks,

jqGridfan

All RSS

Forum Timezone: Europe/Sofia

Most Users Ever Online: 715

Currently Online:
86 Guest(s)

Currently Browsing this Page:
1 Guest(s)