Are there any security risks when submitting data-attribute data through AJAX?

When dealing with submit forms, even if they are sent with AJAX, you must play by the Never trust user’s input rule.

Every data-attribute can be changed, edited via Inspector. Your only trusted validation should be on the server side, as you did with:

if ( isset($_POST['author_id']) || is_numeric($_POST['author_id']) )

Personally, I would inverse the logic and first check all the attributes before starting any action.

check_ajax_referer( '*****', 'security' );

if ( ! isset($_POST['author_id']) && ! is_numeric($_POST['author_id']) ) {
      // tell the villain that this tower is watched
      wp_send_json_error( 'Wrong author ID!' );
}

// now is safe to cache
$author_id = $_POST['author_id'];

Stolen from Codex.

The parameters are passed through a URI encoding so I wouldn’t worry too much about data type or casting.

Related Posts:

  1. Nonces can be reused multiple times? Bug / Security issue?
  2. ajaxurl not defined on front end
  3. How to store username and password to API in wordpress option DB?
  4. Why does WordPress add 0 (zero) to an Ajax response?
  5. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  6. Saving data-URI to media library
  7. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  8. How can I run AJAX on a button click event?
  9. Can someone explain what wp_session_tokens are, and what are they used for?
  10. WordPress and PHP Sessions – Security and Performance
  11. How-to implement admin Ajax inside an admin WP_List_Table?
  12. What is the difference between esc_html and wp_filter_nohtml_kses?
  13. What is nonce and how to use it with Ajax in WordPress? [duplicate]
  14. Empty POST data on server on AJAX request using Angular $http
  15. Using AJAX in FrontEnd with WordPress Plugin Boilerplate (wppb.io)
  16. Nonce in settings API with tabbed navigation
  17. Log in from one wordpress website to another wordpress website
  18. Build path for a custom portfolio plugin
  19. Using AJAX in a plugin to submit form – REALLY confused
  20. wp_localize_script $handle
  21. Escaping built-in WP function return strings
  22. What is the difference between strip_tags and wp_filter_nohtml_kses?
  23. WP Cron doesn’t save or in post body
  24. How to enable users to down-vote in this simple voting counter (that uses the post meta)?
  25. Adding callback function for wp_ajax_ has no effect
  26. get all products of one category
  27. Get returned variable from a function to add_shortcode function
  28. Plugin Settings not Saving on Ajax re-ordered table
  29. How to post form in ajax mode and handle it in wordpress
  30. Using Ajax call in jQuery doesn’t work in widget
  31. WordPress restrict plugin file direct access
  32. WP_LOCALIZE_SCRIPT doesn’t work
  33. Plugin development: is adding empty index.php files necessary?
  34. Timeout on Admin-Ajax?
  35. Confusion on WP Nonce usage in my Plugin
  36. Admin-ajax.php appending a status code to ajax response
  37. Comment `Reply` link doesn’t work if comments are loaded from ajax
  38. Ajax in WordPress – path issue
  39. Cannot search post by taxonomy
  40. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  41. Correct way check nonce (security) using old Options API
  42. WordPress Ajax callback function from plugin – OOP
  43. Why do I need to check if wp_nonce_field() exists before using it
  44. WP AJAX is not working, always returns 0
  45. Ensure function has completed before allowing another Ajax call
  46. Is there any way to check for user login and send him to login?
  47. WordPress security issue to output data from user input from theme option form
  48. Frontend Ajax call not working using wp_ajax, wp_enqueue_script and wp_localize_script
  49. Fetching the value of forms in WordPress AJAX
  50. include wp-blog-header not working on MAMP
  51. Any problem in using native jquery ajax style instead of using admin-ajax.php?
  52. Slow WP_query due to nested wp_query. Need Suggestions
  53. Show special field when correct shipping is chosen
  54. .mo translation strings not loading in PHP scripts that handle AJAX calls
  55. How can I pass get_the_author_meta(‘user_email’) through the REST API?
  56. Verify if user is wordpress logged in from another app since wordpress 4.0
  57. Woocommerce checkout update totals with datepicker
  58. Including the necessary functions for a custom ajax registration form
  59. Secure Pages Best Practice
  60. How can I rewrite a URL to pass requests to a custom method via AJAX? (I can’t use admin-ajax.php)
  61. How to localize admin.php only once
  62. get post attachment using ajax
  63. Dashboard – get status and position of metaboxes and pass them to ajax method
  64. Securing/Escaping Output of file content – reading via fread() in PHP
  65. Create a new post using rest api and save featured image using an external image url
  66. how to search users by ajax live search
  67. wp.template() returns tags in Ajax response
  68. How to get Metabox custom field to show checked if value is updated using post meta query?
  69. Storing data in wordpress database from ajax call from different website
  70. Fatal error: Uncaught Error: Call to undefined function get_option()
  71. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  72. Video Security just like facebook [closed]
  73. Create custom HTML/JS app inside page
  74. Use just a shortcode from another page
  75. template_redirect or admin-ajax.php?
  76. how to get context information inside my funcion
  77. Is disabling test_form in wp_handle_upload a security concern?
  78. How to connect my wordpress plugin to a remote database securely?
  79. wp_nonce_field displaying twice
  80. AJAX form post returns 0
  81. Is it necessary to do validation again when retrieving data from database?
  82. Update Data parameter of a wp_localize_script() call
  83. jquery & ajax sending data to php
  84. wp_localize_script is not adding a global variable for javascript
  85. Can’t get AJAX call working in custom plugin
  86. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  87. Bad Request in AJAX
  88. Remove entire [$key] from array stored in custom field using Ajax – unset($array[$key]); not working
  89. 400 Bad Request, in wordpress theme development, wp_ajax
  90. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  91. Ajax is not working in a loop
  92. ajax recursive calls on wordpress returning answers outsite the function scope
  93. add_submenu_page hooked function must explicitly check user capabilities – why?
  94. Ajax submit result opens in admin-ajax.php
  95. insert query on a custom table using ajax with jQuery plugin Jeditable
  96. How to get error object returned by wp_create_user
  97. Plugin AJAX Save to Custom Table
  98. Why would you use esc_attr() on internal functions?
  99. Ajax: Populate with content from a post’s ID not working – duplicating current page html instead
  100. Data not insert and update through ajax and jQuery in admin page?
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)