使用Ajax + JQuery + MySql + PHP保存表单 [英] Save form as progressed with Ajax + JQuery + MySql + PHP

问题描述

我有一个动态表单，一旦用户完成添加数据，可能会变得很长。我希望能够设置的是一个后台进程，它可以将数据保存到数据库中。

我设置的是一个settimer函数，用于检查问题是否在保存的状态下，如果不添加到要保存的问题列表中。然后它会触发一个使用php发布到我的数据库的ajax调用。第一次发生这种情况时，ajax将返回提交的id，以便表单知道将这些内容发布到哪里。

第二次设置定时器函数运行时，它会通过这个ID。

我最大的问题是我不希望用户知道表ID。我只是想，有人可以捣乱javascript，并很容易地将结果提交给其他ID。

我只是想知道是否有更好的方法来实现这一点？甚至是一些例子？

谢谢 解决方案

应该将服务器端的ID保存在 $ _ SESSION 变量中，并且永远不要让它到达客户端附近。或者，表单可能包含足够可识别的信息，以便根据某些 UNIQUE 索引确定相关记录。

然而，如果您愿意，您还可以添加一些加密身份验证来证明用户没有更改ID。例如，除了ID本身之外，还要向客户端返回一个与某个秘密连接的ID的安全散列;当客户端向服务器发回ID和散列时，您可以将其与重新计算的散列版本进行比较，以检查只有知道该秘密的人（即您）才能为该客户端提供该ID。

为了击败更复杂的攻击，您可能需要添加一些salt：

  $ salt = some_random_string（）; 
 $ hash = md5（md5（$ secret）。md5（$ id）。md5（$ salt））
  

然后发送给客户端哈希，ID 和盐;所有这三个将返回给你进行验证。

I was wondering about the best way to setup to following.

I have a dynamic form that can potentially get very long once a user has finished adding their data. What I was hoping to setup is a background process that saves the data they have to the database.

What I had setup was a settimer function that would check if a question is in a saved state and if not add it to a list of questions to save. Then it would trigger an ajax call which uses php to post to my database. The first time this happens the ajax will return the id of the submission so the form knows where to post these to.

The second time the set timer function is run it passes this id.

My biggest problem is I don't want the user to know table ids. I was just thinking someone can mess with the javascript and submit their results to other ids pretty easily.

I was just wondering if there is a better way to achieve this? Or even some examples?

Thanks

解决方案

Generally speaking, you should probably keep the ID on the server-side in a $_SESSION variable and never let it get anywhere near the client. Alternatively, the form might contain sufficiently identifiable information to be able to determine the relevant record on the basis of some UNIQUE index.

However, if you prefer, you could also add some cryptographic authentication to prove that the ID has not been altered by the user. For example, in addition to the ID itself, return to the client a secure hash of the ID concatenated with some secret; when the client posts back to your server both the ID and that hash, you can compare against a recalculated version of the hash to check that only someone who knew the secret (i.e. you) could have provided the client with that ID.

In order to defeat more sophisticated attacks, you might want to add some salt:

$salt = some_random_string();
$hash = md5( md5($secret) . md5($id) . md5($salt) )

Then send to the client the hash, the ID and the salt; all three of which it will return to you for validation.

这篇关于使用Ajax + JQuery + MySql + PHP保存表单的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！