Jquery security regarding mysql injection

I know its probably unconventional but I want to know if the below code is secure or not.

First piece of code is htee jquery object creation plus the call to the retrieve_data function:

var dataset = [
        {
            query_column: "articles.id,articles.category_id,articles.text,articles.slug article_slug,site_categories.title,site_categories.slug site_categories_slug",
            table_name: 'articles',
            query_join: 'LEFT JOIN site_categories ON site_categories.Id = ' + category,
            query_filter: ['articles.category_id LIKE ', '%' + category + '%'],
            query_limit: 'LIMIT ' + limit,
            unique_column_switch: '1'
        }
    ];
    retrieve_data(dataset, function (data) {

Next is the retrieve_data function itself:

function retrieve_data(dataset, callback) {
    $.ajax(
        {
            type: "POST",
            url: "<?php echo ROOT_URL; ?>php/content/retrieve_data.php",
            data: {json: JSON.stringify(dataset)},
            success: function (data) {
                var data = $.parseJSON(data);
                callback(data);
            }
        });
}

Finally the php that retrieves the data and prints it out for the return to jquery:

mb_internal_encoding("UTF-8");
session_start();
include '../../config.php';
include ROOT_DIR . "php/dbconnection/dbconnection.php";
include ROOT_DIR . 'php/authentication/encryption.php';
$encrypt_decrypt = new encryption();
$json = json_decode($_POST['json']);
$array = array();

/*
 * THIS IS TO BUILD A STRING OF DIFFERENT QUERIES TO BE PERFORMED UPON UPDATE BEING PRESSED
 * PARAMS:
 * data_value:::::::::::: THE VALUE USED TO FIND THE ROW
 * table_name:::::::::::: TABLE NAME
 * unique_column::::::::: UNIQUE DATA ELEMENT THAT LINKS ALL THE TABLES TOGETHER
 * query_end::::::::::::: END OF QUERY (EXTRA WHERE CLAUSES, ORDER BY, LIMIT, ETC)
 * query_column:::::::::: COLUMNS THAT ARE GOING TO BE CALLED, DEFAULTS TO * IF USING JOINS THEN      THIS MUST BE SPECIFIED I.E. TABLE1.*, TABLE2.*, ETC
 * query_join:::::::::::: SET ANY JOINS HERE
 * unique_column_switch:: IF SET TO 1 DISABLES USE OF A UNIQUE COLUMN AND USES QUERY END EXCLUSIVELY
 */
foreach($json as $item){
    $table_name = $mysqli->real_escape_string($item->table_name);
    $unique_column = $mysqli->real_escape_string($item->unique_column);
$data_value = $mysqli->real_escape_string($item->data_value);
$query_column = $mysqli->real_escape_string($item->query_column);
$query_join = $mysqli->real_escape_string($item->query_join);
$query_filter = $item->query_filter;
$query_order = $mysqli->real_escape_string($item->query_order);
$query_limit = $mysqli->real_escape_string($item->query_limit);
$unique_column_switch = $mysqli->real_escape_string($item->unique_column_switch);
$query_filter_safe = array();
foreach($query_filter as $key1 => $val1){
    array_push($query_filter_safe, ($key1 % 2) ? "'" . $mysqli->real_escape_string($val1) . "'" : $mysqli->real_escape_string($val1));
}
if(empty($unique_column) && $unique_column_switch != '1'){
    $query1 = $mysqli->query("SHOW KEYS FROM `$table_name` WHERE Key_name = 'PRIMARY'");
    $fetch1 = $query1->fetch_array(MYSQLI_ASSOC);
    $unique_set = $fetch1['Column_name'] . " = '" . $data_value . "'";
    $unique_column = $fetch1['Column_name'];
} else{
    $unique_set = ($unique_column_switch != '1') ? "`" . $table_name . "`.`" . $unique_column . "` = '" . $data_value . "'" : '';
}
$unique_column = (empty($unique_column)) ? '' : $unique_column;
$where = (empty($unique_set) && empty($query_filter)) ? '' : 'WHERE';
$select_items = (empty($query_column)) ? '*' : $query_column;
$query2 = "SELECT " . $select_items . " FROM " . $table_name . " " . $query_join . " " . $where . " " . $unique_set . " " . join(' ', $query_filter_safe) . " " . $query_order . " " . $query_limit;
//echo $query2;
$query2 = $mysqli->query($query2);
for($x = 0; $fetch2 = $query2->fetch_array(MYSQLI_ASSOC); $x++){
    $fetch2 = $encrypt_decrypt->decrypt_val($fetch2, $table_name, $mysqli);
    foreach($fetch2 as $column => $value){
        ($unique_column == $column) ? $array[$table_name][$x]['INDEX_VALUE'] = $value : $array[$table_name][$x][$column] = $value;
    }
}
}
echo json_encode($array);

EDIT 12/5 12:00PM EST

I have rewritten what I was trying to do. Thanks again for pointers everyone! @MonkeyZeus and @Carth were extremely useful.

include '../../config.php';
include ROOT_DIR . "php/dbconnection/dbconnection_pdo.php";
$query = "SELECT * FROM site_users WHERE username = :username";
$query = $pdo->prepare($query);
$query->execute(array('username' => $_POST['username']));
$result = $query->fetchAll(PDO::FETCH_ASSOC);
echo json_encode($result);

Going back to jquery:

function article_box_basic(category, limit, max_char_count, location) {
    $.ajax(
        {
            type: "POST",
            url: "<?php echo ROOT_URL; ?>php/content/article_box_basic.php",
            data: {username: 'moltmans'},
            success: function (data) {
                var data = $.parseJSON(data);

Do something here with data

Answers


This is emphatically not a "secure" approach. Validation and control on the client side should be treated as an inherently insecure convenience for generating a request not a means of enforcing true security. Your server side code should be validating the request parameters within the context of who your user is and what they're doing. Since a user can set "dataset" to whatever they want it doesn't matter if the category variable is itself prone to injection based on its usage in the rest of the statement.

By exposing your schema on the client side like this you're revealing valuable information that there's no need to expose.


Need Your Help

updating a shelve dictionary in python parallely

python parallel-processing multiprocessing shelve

I have a program that takes a very huge input file and makes a dict out of it. Since there is no way this is going to fit in memory, I Decided to use shelve to write it to my disk. Now I need to t...

Amazon Marketplace FBA API connection issue - returns error 'Seller is not registered for basic fulfillment'

amazon amazon-mws fulfillment

We are trying to build a custom in house solution to MWS so that we can use Amazon FBA. We have professional accounts setup in both US and EU and we have triple checked that the accounts are regist...