如何在 PHP 和 Javascript 中保护我的 jQuery AJAX 调用?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20170728/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to secure my jQuery AJAX calls in PHP and Javascript?
提问by Goran
I have following PHP and Javascript code snippet in which I am making an jQuery AJAX call to get data from PHP and show it in the HTML.
我有以下 PHP 和 Javascript 代码片段,其中我正在调用 jQuery AJAX 以从 PHP 获取数据并将其显示在 HTML 中。
PHP code
<?php
myfunction();
function myfunction()
{
$myvar = $_POST['q']." how are you?";
$myvar2 = $_POST['z'];
echo $myvar."\n".$myvar2;
}
?>
HTML code
<div id="mydiv"></div>
Javascript code
var data =" hello world";
var data2=" hello all";
function run()
{
$.ajax(
{
url: 'myscript.php',
data: {'q': data,'z':data2},
type: 'post',
success: function(output)
{
//alert(output);
document.getElementById("mydiv").innerHTML += output; //add output to div
}
}
);
}
Above code is working fine.
上面的代码工作正常。
I want to secure this AJAX call to prevent it from hackers because I am making an AJAX call which is visible to all. This code is vulnerable to hackers attack. My question is what and where should I impose extra checks to make my AJAX call secure?
我想保护这个 AJAX 调用以防止它被黑客攻击,因为我正在进行一个所有人都可以看到的 AJAX 调用。此代码容易受到黑客攻击。我的问题是我应该在什么地方以及在哪里施加额外的检查来确保我的 AJAX 调用安全?
One thing I know that I should use following code snippet in my PHP file
我知道我应该在我的 PHP 文件中使用以下代码片段的一件事
if (!$_POST['q'] && !$_POST['z'])
{
exit;
}|
else
{
myfunction(); //call myfunction only if page is posted
}
What extra checks should I use in PHP and Javascript files?
我应该在 PHP 和 Javascript 文件中使用哪些额外的检查?
回答by Goran
there are lots of tricks that hackers use so you just have to make it hard/time consuming enough that the reward is not worth the investment.
黑客使用了很多技巧,所以你只需要让它变得足够困难/耗时,以至于奖励不值得投资。
First you should never echo back something that came in a post. Hackers are known to perform all sorts of injections with a hole like that.
首先,您永远不应该回显帖子中的内容。众所周知,黑客会使用这样的漏洞进行各种注入。
To avoid that simply unescape the value first.
为了避免这种情况,只需先对值进行转义即可。
For MySQL use:mysqli_real_escape_string.
对于 MySQL 使用:mysqli_real_escape_string.
When echoing back HTML (echoor print) use: htmlspecialchars.
当回显 HTML (echo或print) 时,请使用: htmlspecialchars。
For executing code with execuse escapeshellcmdand escapeshellarg.
用于exec使用escapeshellcmd和执行代码escapeshellarg。
Example:
例子:
<?php
define('CHARSET', 'ISO-8859-1');
define('REPLACE_FLAGS', ENT_COMPAT | ENT_XHTML);
function html($string) {
return htmlspecialchars($string, REPLACE_FLAGS, CHARSET);
}
$myvar = $_POST['q']." how are you?";
$myvar2 = $_POST['z'];
echo html($myvar."\n".$myvar2);
?>
回答by Goran
You are using POST that is good.
您使用的 POST 很好。
- More you can use "Session" for security.
- For code security you can put your functions and other important code in some different php files and include them in main file. To keep your code visible from directly.
- 更多您可以使用“会话”来确保安全。
- 为了代码安全,您可以将您的函数和其他重要代码放在一些不同的 php 文件中,并将它们包含在主文件中。使您的代码直接可见。
