doulongsi1831 2015-07-01 12:38
浏览 37
已采纳

安全地将变量从客户端javascript传递到nodejs服务器

I have a website made using php and one part of it is written in node js. The node js server and php share the mysql database. One part of my website is using nodejs which requires that I pass the user id from client side to node js server.

for example I am doing something like this

var user_id=parseInt(<?php echo $this->id; ?>);

The php part is in zend. so for those unfamiliar with zend this id is set in the controller for this particular view.

So when i view the source for this particular page the user id is clearly visible and if changed, a user can make changes to some tables in the database of another user if he passes some other user id instead of his.

What is the best way to hide this variable or some other approach which will help me overcome this issue ?

  • 写回答

1条回答 默认 最新

  • duanchi6397 2015-07-14 18:12
    关注

    You have something backwards here.

    PHP is a backend language as well and Node is your backend language.

    Now to communicate within them why do you pass the parameter to the javascript via HTML and then expect it to be secure

    Best way to handle it is that you should either create some API on the node so the PHP can send the values directly to that.. by talking to this API instead of waiting for javascript to do it.

    OR

    You should create a token authentication system and use it so everytime php page is generated for this client, it creates a token with some random chars and then pass this token to the JS.. JS then requests Node with this token.. Node sees the token table and identifies the Client ID and that would do the necessary job.

    Some kind of token/ auth should be used on the Node side else your server is not secure regardless.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 安卓adb backup备份子用户应用数据失败
  • ¥20 有人能用聚类分析帮我分析一下文本内容嘛
  • ¥15 请问Lammps做复合材料拉伸模拟,应力应变曲线问题
  • ¥30 python代码,帮调试
  • ¥15 #MATLAB仿真#车辆换道路径规划
  • ¥15 java 操作 elasticsearch 8.1 实现 索引的重建
  • ¥15 数据可视化Python
  • ¥15 要给毕业设计添加扫码登录的功能!!有偿
  • ¥15 kafka 分区副本增加会导致消息丢失或者不可用吗?
  • ¥15 微信公众号自制会员卡没有收款渠道啊