dqqy64515 2014-04-18 20:44
浏览 71

仅允许授权的AJAX请求

Simplified: In my JS/PHP app I have a button. When a user clicks on the button he gets 1 point which is saved via jQuery AJAX/PHP in a database.

Of course the user now can call the script that makes the AJAX request without clicking the button. Is there any best-practice to avoid that?

I am using AJAx because I don't want the page to reload.

Update: There are many other options how a user can earn points. Idealy I would have a JS function add_points(points) that adds the points for the user. But I know that anyone can write a script to call this function automaticly. I guess the only way is to generate a hash vor every possible point-earn action and submit this hash with the AJAX request.

  • 写回答

4条回答 默认 最新

  • dongshi949737 2014-04-18 20:48
    关注
    if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
    /* special ajax here */
    die($content);
}
    评论

报告相同问题?

悬赏问题

  • ¥15 C# datagridview 栏位进度
  • ¥15 vue3页面el-table页面数据过多
  • ¥100 vue3中融入gRPC-web
  • ¥15 kali环境运行volatility分析android内存文件,缺profile
  • ¥15 写uniapp时遇到的问题
  • ¥15 vs 2008 安装遇到问题
  • ¥15 matlab有限元法求解梁带有若干弹簧质量系统的固有频率
  • ¥15 找一个网络防御专家,外包的
  • ¥100 能不能让两张不同的图片md5值一样,(有尝)
  • ¥15 informer代码训练自己的数据集,改参数怎么改