如何prevent用户通过萤火虫在Ajax请求变化的变量 [英] How to prevent users changing variables via firebug in ajax requests
问题描述
我让我的用户喜欢的更新或论坛主题。 因此,当用户试图在这些最喜欢的,我会通过Ajax送两件事情,在ITEM_ID(更新或主题)的ID(例如1321313213)和它的类型(更新或主题)作为字符串。
I allow my users to favorite an update or a forum topic. So when a user tries to favorite one of these i will send via Ajax 2 things, the item_id(update or topic) as id(ex. 1321313213) and its type("update" or "topic") as string.
不过可以说某人试图喜爱的ID的更新不变,但类型更改为主题(通过萤火虫或任何其他)...
However lets say someones tries to favorite an update with the id untouched but the type is changed to "topic"(via firebug or whatever else)...
这不应该procceed,因为这个组合是不正确的......我怎么能保证所发送的ITEM_ID是更新或主题,因为这个ID可能共同存在于两个表中???
This should not procceed since this combination is not correct... how can i assure that the item_id being sent is an update or a topic since this ID might co-exist in both tables???
当前的解决方案:
创建一个隐藏的输入元素,并添加为价值5个随机字符(A-ZA-Z0-9)和MD5类型名(更新或主题)
Create a hidden input element and add as value 5 random characters (a-zA-Z0-9) and md5 type name(update or topic)
这样的:
$random_str = $this->my_model->generateRandomString(5);
<input type="hidden" value="<?php echo $random_str.md5("update"); ?>" id="type" />
所以当我尝试验证数据,以检查它是否是我分裂型的前5个字符的更新或主题及更高版本和检查后的字符是MD5散列是更新或主题,继续验证
so when i try to validate the data to check if it is an update or topic i split the type on the first 5 characters and later and check if the later characters are md5 hashed are update or topic and continue validation
我想一些帮助的情况下,这是可以改变的很好...
I would like some help in case this can be altered as well...
推荐答案
您的服务器端脚本(PHP)必须始终假定它变得虚假数据。不要完全依赖JavaScript来处理任何消毒/验证。
Your server side script (PHP) must always assume it's getting bogus data. Never rely solely on javascript to handle any sanitization / verification.
如果你的JavaScript可以确定的工作应该是更新或主题,我敢肯定你的PHP可以做到这一点。大概用了几个数据库查询或一些这样的,但是这是你必须付出的代价。
If your javascript can determine if the job should be "update" or "topic", I'm sure your PHP can do that as well. Probably using a few more DB queries or some such, but that's the price you've got to pay.
这篇关于如何prevent用户通过萤火虫在Ajax请求变化的变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
