dongxiao0449 2016-12-25 20:06
浏览 47
已采纳

从这个ajax调用php脚本只[关闭]

I tried to google my problem but I don´t even know exactly how to ask my question: When the user performs one specific event on my site I would like to call this function, which increases the credit of an other user in a mysql database:

function incrasecredit(){
   $.ajax({
     type: "POST",
     url: "/increasecredit.php",
     data: {},
     success: function(html) {
     }
    }); 
   }

...easy. The problem is (as the script name indicates) that this event is connected to a "credit-system" / money. So I guess it should be secure. "/increasecredit.php" should not be accessed by the user in any other way. E.g. simply by executing it via the browser. Only in this special case when I call it in my jquery script. To be more precise when the user clicks on an iframe, incrasecredit() should be executed. And ONLY in this case. How can I protect this script from beeing executed in a wrong way? I tried to solve it with tokens but didn´t figure it out, yet. I have the feeling I don´t get the bigger picture. Thanks in advance.

  • 写回答

1条回答 默认 最新

  • duanmu1736 2016-12-25 21:59
    关注

    You should implement CSRF tokens on your page, to check that a request has originated from your website via a legitimate mechanism. This boils down to having a one use only token be passed with the POST request that needs to match a token stored against a user session cookie. This token should also automatically expire after some time.

    In addition, the backend should implement some kind of ACL to authorise the transaction. The role of the user can be checked via session for an authenticated user.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度