If the function called by the hacker happened to do any CRUD on the database, the whole system is exposed to hackers attack.
- String, Date, Number, Boolean, Array, Object.
- It also can have a null value and undefined status.
Be careful to validate the data according to those data types and value types should help a lot. Also, remember to use === when you need to do a strict comparison.
The solution to the other problem is more complicated and tricky. Each company in the industry has different solutions, but most of them share the same concept.
The basis of the concept is that every function would be hidden into a module as a property of the module object, which only can be called by a controller, while the controller would be started on document.ready, monitoring and responding to page events, but not possible to be called from outside.
Therefore, the only way to call the method is to have the correct event on the page, then the controller which is listening to the certain event is calling the method inside of the corresponding module. This wont eliminate all the vulnerabilities but it will improve the security by a lot. Be sure to talk to the architect for the solutions your system should be using.