dongmangwei3822 2015-01-18 10:49
浏览 38

安全的AJAX POST / GET jquery

So basically my question is simple. Imagine situation when you a making a login or register form. With jquery.post i make ajax call

$.post( "pages/form_handle.php", name: $.(".username").val(), pass: $.(".pass").val() , function( data ) {
$( ".result" ).html( data );
});

it's simple call(i belive so)...

How to make it secure? So if user look in my source code he or she know where i send my data in example pages/form_handle.php also he or she know what data i send to this page. One of idea what i have simple send all ajax calls to one page ajax.php adding extra variables who will call right php function for ajax call... But does it is the right way? Or maybe there is some better way to make it secure?

  • 写回答

1条回答 默认 最新

  • duancan2539 2016-06-26 00:31
    关注

    Stick to basics, and keep salting your passwords.

    AJAX is not server side language, its a javascript plugin that does the same thing as forms, actions, etc... just in background as a new request.

    Your ajax is not in danger, but your php files are, you can use jquery-validate.js to check on users input, but also you should make validation check in your ajax.php.

    Here is a simple ajax login request:

    function loginUser() {
    var process = "loginUser";
    var data = $("form").serializeArray();
    data[1].value = data[1].value; // data to ajax.php page 
    data = JSON.stringify(data);

    $("#loginButton").html('Login');
    $.ajax({
        type: "POST",
        url: "ajax.php",
        data: {"process": process, "data": data},
        success: function(data) {
            if (data.response.state == "success") {
                // if ajax.php returns success, redirect to homepage or whatever
            } else {
                // if ajax.php returns failure, display error
            }  
        },
        error: function(jqXHR, textStatus, errorThrown, data) {
            // error handling
        },
        dataType: "json"
    });
}

    And the simple ajax.php login:

    <?php // ajax.php

    require_once 'login.php';

    $db_server = mysql_connect($db_hostname, $db_username, $db_password);
    if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
        mysql_select_db($db_database)
    or die("Unable to select database: " . mysql_error());


    if (isset($_SERVER['PHP_AUTH_USER']) &&
        isset($_SERVER['PHP_AUTH_PW'])){
    $un_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_USER']);
    $pw_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_PW']);

        $query = "SELECT * FROM users WHERE username='$un_temp'";
        $result = mysql_query($query);
        if (!$result) die("Database access failed: " . mysql_error());

        elseif (mysql_num_rows($result)){
            $row = mysql_fetch_row($result);
            $salt1 = "qm&h*";
            $salt2 = "pg!@";
            $token = md5("$salt1$pw_temp$salt2");

            if ($token == $row[3]) echo "$row[0] $row[1] :
            Hi $row[0], you are now logged in as '$row[2]'";
                else die("Invalid username/password combination");
        } else die("Invalid username/password combination");
        }else{
            header('WWW-Authenticate: Basic realm="Restricted Section"');
            header('HTTP/1.0 401 Unauthorized');
            die ("Please enter your username and password");
        }
        function mysql_entities_fix_string($string){
            return htmlentities(mysql_fix_string($string));
        }
        function mysql_fix_string($string){
            if (get_magic_quotes_gpc()) $string = stripslashes($string);
            return mysql_real_escape_string($string);
        }

?>
    评论

报告相同问题?

悬赏问题

  • ¥15 ubuntu子系统密码忘记
  • ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
  • ¥15 保护模式-系统加载-段寄存器
  • ¥15 matlab求解平差
  • ¥15 电脑桌面设定一个区域禁止鼠标操作
  • ¥15 求NPF226060磁芯的详细资料
  • ¥15 使用R语言marginaleffects包进行边际效应图绘制
  • ¥20 usb设备兼容性问题
  • ¥15 错误(10048): “调用exui内部功能”库命令的参数“参数4”不能接受空数据。怎么解决啊
  • ¥15 安装svn网络有问题怎么办