doulongsi1831
2015-07-01 12:38
浏览 37
已采纳

安全地将变量从客户端javascript传递到nodejs服务器

I have a website made using php and one part of it is written in node js. The node js server and php share the mysql database. One part of my website is using nodejs which requires that I pass the user id from client side to node js server.

for example I am doing something like this

var user_id=parseInt(<?php echo $this->id; ?>);

The php part is in zend. so for those unfamiliar with zend this id is set in the controller for this particular view.

So when i view the source for this particular page the user id is clearly visible and if changed, a user can make changes to some tables in the database of another user if he passes some other user id instead of his.

What is the best way to hide this variable or some other approach which will help me overcome this issue ?

图片转代码服务由CSDN问答提供 功能建议

我有一个使用php制作的网站,其中一部分是用节点js编写的。 节点js服务器和php共享mysql数据库。 我网站的一部分是使用nodejs,这要求我将用户id从客户端传递给节点js服务器。

例如我 我正在做这样的事情

  var user_id = parseInt(&lt;?php echo $ this-&gt; id;?&gt;); 
   
 
 

php部分在zend中。 所以对于那些不熟悉zend的人来说,这个id是在这个特定视图的控制器中设置的。

因此,当我查看此特定页面的源时,用户ID清晰可见,如果更改, 用户可以更改另一个用户的数据库中的某些表,如果他传递了一些其他用户ID而不是他的。

隐藏此变量或其他方法的最佳方法是什么 帮我解决了这个问题?

  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • duanchi6397 2015-07-14 18:12
    已采纳

    You have something backwards here.

    PHP is a backend language as well and Node is your backend language.

    Now to communicate within them why do you pass the parameter to the javascript via HTML and then expect it to be secure

    Best way to handle it is that you should either create some API on the node so the PHP can send the values directly to that.. by talking to this API instead of waiting for javascript to do it.

    OR

    You should create a token authentication system and use it so everytime php page is generated for this client, it creates a token with some random chars and then pass this token to the JS.. JS then requests Node with this token.. Node sees the token table and identifies the Client ID and that would do the necessary job.

    Some kind of token/ auth should be used on the Node side else your server is not secure regardless.

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题