doulongsi1831 2015-07-01 12:38
浏览 37
已采纳

安全地将变量从客户端javascript传递到nodejs服务器

I have a website made using php and one part of it is written in node js. The node js server and php share the mysql database. One part of my website is using nodejs which requires that I pass the user id from client side to node js server.

for example I am doing something like this

var user_id=parseInt(<?php echo $this->id; ?>);

The php part is in zend. so for those unfamiliar with zend this id is set in the controller for this particular view.

So when i view the source for this particular page the user id is clearly visible and if changed, a user can make changes to some tables in the database of another user if he passes some other user id instead of his.

What is the best way to hide this variable or some other approach which will help me overcome this issue ?

  • 写回答

1条回答 默认 最新

  • duanchi6397 2015-07-14 18:12
    关注

    You have something backwards here.

    PHP is a backend language as well and Node is your backend language.

    Now to communicate within them why do you pass the parameter to the javascript via HTML and then expect it to be secure

    Best way to handle it is that you should either create some API on the node so the PHP can send the values directly to that.. by talking to this API instead of waiting for javascript to do it.

    OR

    You should create a token authentication system and use it so everytime php page is generated for this client, it creates a token with some random chars and then pass this token to the JS.. JS then requests Node with this token.. Node sees the token table and identifies the Client ID and that would do the necessary job.

    Some kind of token/ auth should be used on the Node side else your server is not secure regardless.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 做个有关计算的小程序
  • ¥15 MPI读取tif文件无法正常给各进程分配路径
  • ¥15 如何用MATLAB实现以下三个公式(有相互嵌套)
  • ¥30 关于#算法#的问题:运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题 求各位帮我解答一下
  • ¥15 setInterval 页面闪烁,怎么解决
  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题
  • ¥15 如何用Python爬取各高校教师公开的教育和工作经历
  • ¥15 TLE9879QXA40 电机驱动
  • ¥20 对于工程问题的非线性数学模型进行线性化