Guriddo » Topic: Security of jqGrid

Security of jqGrid

Guriddo
Security of jqGrid

This topic has 2 replies, 2 voices, and was last updated 17 years ago by jqgridfan.

Creator

Topic
April 27, 2009 at 6:27 pm #73254

jqgridfan
Participant

Hi everyone,

Sorry for 2nd post if my 1st appears – my browser crashed.

Thanks for this incredible plugin – really standouts from the others my team has reviewed. We are keen to implement it across our entire application!

But we are ignorant regarding the security implications of this plugin. URLs, data, and table structure (eg fields) appear visible, and we are not sure if this is bad if only the current signed in user in our application can access this. Are they only ones who could? Mtm attacks, SSL encryption, etc aside, we wonder if there is any best practice for secure use of this plugin.

Please comment or refer us to any documentation or third party web sites that can help us tighten the security for our integration of this plugin.

Regards,

jqGridfan
Creator

Topic

Viewing 2 replies - 1 through 2 (of 2 total)

Author

Replies
April 30, 2009 at 2:22 am #86657

tony
Keymaster

Hello,

Thanks for pointing this.

This can be a long discussion. Shortly: jqGrid is so secure as jQuery is – I mean jqGrid uses ajax calls to obtain the data from web. This is the “hidden” part. The data from the server then is manipulated and represented at user – i.e jqGrid represent a tabular data. If you use another grid component (Dojo, Yahoo and etc) the things are the same. The data that you provide is at the user machine and you can not secure it since you want this data to be seen from the user. There is no sense (and you can not) secure the data at user machine. In the client machine user can manipulate the content in a way that they want – I mean using FireBug I can enable or disable what I want and etc. Is this bad?

The answer is – yes it is bad if you do not have sercuring procedures at server. If you have strong securing procedures at server you should not care about the data at the user machine.

The real securing IMHO should be done at server. Typically in my applications I check for every request:

1. If the user is logged in the system

2. compare the password from this user to one stored in my database (encrypted)

3. Does the user have the right for this page.

4. If the user has this right what actions are allowed for this user.

5. Check the parameters that are passed from user

6. At end write the sql so that no SQL injection can be done (typical I use prepared statements)

This of course slow down the speed, but let me say slow speed higger security is better.

This is one part of this process. Of course you can use SSL, VPN and etc. You can allow only certain users to have acces to the system if you known thier IP and so on.

I think we started something that will be interested for others

Best Regards

Tony

May 4, 2009 at 7:02 pm #86684

jqgridfan
Participant

Thanks Tony,

You've thoroughly answered my team's questions and removed any doubt about using jqGrid securely.

We are keen to jump in and integrate this throughout our application!

Thanks,

jqGridfan
Author

Replies