Are there any security risks when submitting data-attribute data through AJAX?

When dealing with submit forms, even if they are sent with AJAX, you must play by the Never trust user’s input rule.

Every data-attribute can be changed, edited via Inspector. Your only trusted validation should be on the server side, as you did with:

if ( isset($_POST['author_id']) || is_numeric($_POST['author_id']) )

Personally, I would inverse the logic and first check all the attributes before starting any action.

check_ajax_referer( '*****', 'security' );

if ( ! isset($_POST['author_id']) && ! is_numeric($_POST['author_id']) ) {
      // tell the villain that this tower is watched
      wp_send_json_error( 'Wrong author ID!' );
}

// now is safe to cache
$author_id = $_POST['author_id'];

Stolen from Codex.

The parameters are passed through a URI encoding so I wouldn’t worry too much about data type or casting.

Related Posts:

  1. Nonces can be reused multiple times? Bug / Security issue?
  2. ajaxurl not defined on front end
  3. How to store username and password to API in wordpress option DB?
  4. Why does WordPress add 0 (zero) to an Ajax response?
  5. Saving data-URI to media library
  6. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  7. How can I run AJAX on a button click event?
  8. Can someone explain what wp_session_tokens are, and what are they used for?
  9. WordPress and PHP Sessions – Security and Performance
  10. What is the difference between esc_html and wp_filter_nohtml_kses?
  11. Empty POST data on server on AJAX request using Angular $http
  12. Nonce in settings API with tabbed navigation
  13. Log in from one wordpress website to another wordpress website
  14. wp_localize_script $handle
  15. Escaping built-in WP function return strings
  16. WP Cron doesn’t save or in post body
  17. How to enable users to down-vote in this simple voting counter (that uses the post meta)?
  18. Plugin Settings not Saving on Ajax re-ordered table
  19. How to post form in ajax mode and handle it in wordpress
  20. Using Ajax call in jQuery doesn’t work in widget
  21. WordPress restrict plugin file direct access
  22. Timeout on Admin-Ajax?
  23. Confusion on WP Nonce usage in my Plugin
  24. Comment `Reply` link doesn’t work if comments are loaded from ajax
  25. Ajax in WordPress – path issue
  26. Correct way check nonce (security) using old Options API
  27. Ensure function has completed before allowing another Ajax call
  28. Is there any way to check for user login and send him to login?
  29. WordPress security issue to output data from user input from theme option form
  30. include wp-blog-header not working on MAMP
  31. Slow WP_query due to nested wp_query. Need Suggestions
  32. .mo translation strings not loading in PHP scripts that handle AJAX calls
  33. How can I pass get_the_author_meta(‘user_email’) through the REST API?
  34. Woocommerce checkout update totals with datepicker
  35. Including the necessary functions for a custom ajax registration form
  36. Secure Pages Best Practice
  37. get post attachment using ajax
  38. Dashboard – get status and position of metaboxes and pass them to ajax method
  39. Securing/Escaping Output of file content – reading via fread() in PHP
  40. how to search users by ajax live search
  41. Storing data in wordpress database from ajax call from different website
  42. Fatal error: Uncaught Error: Call to undefined function get_option()
  43. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  44. template_redirect or admin-ajax.php?
  45. how to get context information inside my funcion
  46. Is disabling test_form in wp_handle_upload a security concern?
  47. How to connect my wordpress plugin to a remote database securely?
  48. wp_nonce_field displaying twice
  49. AJAX form post returns 0
  50. Remove entire [$key] from array stored in custom field using Ajax – unset($array[$key]); not working
  51. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  52. Ajax is not working in a loop
  53. add_submenu_page hooked function must explicitly check user capabilities – why?
  54. How to get error object returned by wp_create_user
  55. Ajax: Populate with content from a post’s ID not working – duplicating current page html instead
  56. Setting a JSON web token from a secondary api as a secure cookie on WordPress
  57. How do I get rid of my inclusion race-condition on wp_enqueue_script
  58. Issues Updating Post Meta with AJAX (Seems simple but cannot figure it out)
  59. ajax working when function is on child theme but not in plugin page
  60. AJAX call to admin-ajax.php by subscriber returns home page
  61. Ajax function is not working on WordPress
  62. About a programming language starts with [closed]
  63. Workflow for new importer plugin – your advices?
  64. How can I save a password securely as a settings field
  65. AJAX request not routing through proxy
  66. Ajax on the Administration Side of plugin – returns 0
  67. How to do admin ajax request in a plugin for rest api
  68. Ajax action has 200 status but response of No response data available for this request
  69. WordPress Does not grab the string sends useing AJAX response, wp_ajax hook
  70. GET request return value as error instead of success
  71. Bad request 400 using class based files
  72. Trying to run a Ajax request from a checkout form in woocommerce via a custom plugin
  73. ajax stopped working when not logged in wordpress
  74. ajax response strips multidimensional array and unable to decode
  75. 400 Bad Request and illegal invocation in wp_ajax based on processData set to false or true
  76. Rate limiting ajax requests in WordPress
  77. ajax-action.php can’t find added action
  78. How do I make secure API calls from my WordPress plugin?
  79. esc_attr() on hard coded string
  80. Using AJAX to submit and return data inside the WordPress Plugin Boiler Plate framework
  81. AJAX call of function containing javascript which is not loaded (Plugin development)
  82. $_SESSION inside php function executed by AJAX
  83. Two same AJAX calls – one is working, other doesn’t
  84. How to include files in the loop via ajax
  85. How to handle ajax Request in a complex-structured plugin?
  86. Filterable posts using categories
  87. How to get values from Tinymce visual editor popup?
  88. PHP includes with AJAX actions
  89. WordPress function is not called and ajax return 0
  90. Experts opinions needed: How (in)secure is this approach?
  91. Ajax call not working with
  92. WP Ajax on page load not working on bluehost but was working on Godaddy
  93. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  94. Can’t get query string in ajax call
  95. Data Validation, dynamically generated fields (select for example)
  96. An adiitional function fires on my AJAX submit
  97. Fatal error: Call to a member function query() on a non-object in my ajaxpage
  98. Page reload occurs before request finishes
  99. Trigger a JavaScript function based on the data fetched from Woo commerce hook
  100. Return custom product in ajax call loop
tech