Hi,
It looks like there is no flaw in the Ajax model, for the example you mentioned could have been tried with the Non-Ajax Model also and still the application could have been suspectible to Sql Injection attack, which is a basic attack, the basic flaw that i saw was the programmer should have used the Parameterized commands instead of inline sql queries or better still the 3-Tier Architecture using Parameterized commands, which the most basic and common-sense approach to develop Web Applications.
I don't think that having Ajax will save the programmer from the Sql Injection Attack!
because Ajax was not designed to secure the programmer from these attacks. I think it is stupid to even think in this directions,...."... that why the application is still suspectible to Sql Injection attack, even though i had Ajaxified it?.
Ajax or No Ajax, First, the programmer should always get his basics clear!
I really liked the spirit and the language of the article, thanks for this nice article.
Regards,
Mahernoz
Favorite Quote: The Heart has it's own reasons which the reason knows not of... -- Blaise Pascal