derek5. 2016-10-03 10:10 采纳率: 100%
浏览 25

安全的Ajax通话

I have a dataTable with server-side processing but I don't know how to secure the ajax call because if anyone go to the ajax php file can read all the content.

This is my jquery:

$(document).ready(function() {
    $('#netflow').DataTable( {
        aaSorting: [[ 5, "desc" ]],
        responsive: {
        details: {
            renderer: function ( api, rowIdx ) {
            var data = api.cells( rowIdx, ':hidden' ).eq(0).map( function ( cell ) {
                var header = $( api.column( cell.column ).header() );
                return  '<p style="color:#00A">'+header.text()+' : '+api.cell( cell ).data()+'</p>';  // changing details mark up.
            } ).toArray().join('');

            return data ?    $('<table/>').append( data ) :    false;
            }
        }
        },
        processing: true,
        serverSide: true,
        ajax: "/adm/includes/netflow_processing.php",
    } );
    var oTable = $('#netflow').dataTable();
    var table = $('#netflow').DataTable();
    $('#netflow_filter input').unbind();
    $('#netflow_filter input').bind('keyup', function(e) {
        if(e.keyCode == 13) {
                oTable.fnFilter(this.value);
        }
    });
    // Añadir filtro para cad acelda
    $('#netflow tfoot th').each( function (i) {
        $(this).html( '<input type="text"/style = "width: 100%; " placeholder="Filtra...">' );
    } );
    // Aplicar filtro al introducir en cada celda
    table.columns().eq( 0 ).each( function ( colIdx ) {
        $( 'input', table.column( colIdx ).footer() ).on( 'keyup change', function () {
            table
                .column( colIdx )
                .search( this.value )
                .draw();
        } );
    } );
} );

And this is the ajax script:

<?php

$table = 'netflow';
$primaryKey = 'id';

$columns = array(
        array( 'db' => 'flow_src', 'dt' => 0 ),
        array( 'db' => 'flow_dst', 'dt' => 1 ),
        array( 'db' => 'flow_proto', 'dt' => 2 ),
        array( 'db' => 'out_packets', 'dt' => 3 ),
        array( 'db' => 'in_packets', 'dt' => 4 ),
        array( 'db' => 'flow_start', 'dt' => 5 )
);

$sql_details = array(
    'user' => '6g43tfr3',
    'pass' => 'XXXXXXXXX',
    'db'   => 'DBNAME',
    'host' => 'bbdd.localdomain'
);

require( 'ssp.class.php' );

echo json_encode(
    SSP::simple( $_GET, $sql_details, $table, $primaryKey, $columns )
);

How can I make a hash/token request?

  • 写回答

2条回答 默认 最新

  • elliott.david 2016-10-03 10:21
    关注

    First of all, I can't see any check that the user is logged, or some other check. You can create user with levels. Admin user, normal user and give him access code. You can use this pseudo code.

    $access = false;
$user == isAdmin() {
$access = true;
}

if($access == false) return redirect;

    Second, you can make some check that is AJAX requirest.

    if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
    /* special ajax here */

}

    And in this scopes you can make additional check ( for login, access level, etc. ) , BUT there's no 100% way to detect if the request was made via ajax. Even if someone sends header with

    "X-Requested-With: XMLHttpRequest"

    评论

报告相同问题?

悬赏问题

  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
  • ¥20 怎么用dlib库的算法识别小麦病虫害
  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 java写代码遇到问题,求帮助
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?