eval() . Now this immediately struck me as potentially problematic from a security perspective.
So I started doing some research into the security aspects of JSON and across this blog post about how JSON is not as safe as people think it is . This part stuck out:
Ok, so that's a good rule to start with: JSON objects at the top level should always be objects and never arrays, numbers or strings. Sounds like a good rule to me.
Is there anything else to do or avoid when it comes to JSON and AJAX related security?
The last part of the above quote mentions unpredictable URLs. Does anyone have more information on this, especially how you do it in PHP? I'm far more experienced in Java than PHP and in Java it's easy (in that you can map a whole range of URLs to a single servlet) whereas all the PHP I've done have mapped a single URL to the PHP script.
Also, how exactly do you use unpredictable URLs to increase security?