dongmangwei3822 2015-01-18 10:49
浏览 38

安全的AJAX POST / GET jquery

So basically my question is simple. Imagine situation when you a making a login or register form. With jquery.post i make ajax call

$.post( "pages/form_handle.php", name: $.(".username").val(), pass: $.(".pass").val() , function( data ) {
$( ".result" ).html( data );
});

it's simple call(i belive so)...

How to make it secure? So if user look in my source code he or she know where i send my data in example pages/form_handle.php also he or she know what data i send to this page. One of idea what i have simple send all ajax calls to one page ajax.php adding extra variables who will call right php function for ajax call... But does it is the right way? Or maybe there is some better way to make it secure?

  • 写回答

1条回答 默认 最新

  • duancan2539 2016-06-26 00:31
    关注

    Stick to basics, and keep salting your passwords.

    AJAX is not server side language, its a javascript plugin that does the same thing as forms, actions, etc... just in background as a new request.

    Your ajax is not in danger, but your php files are, you can use jquery-validate.js to check on users input, but also you should make validation check in your ajax.php.

    Here is a simple ajax login request:

    function loginUser() {
    var process = "loginUser";
    var data = $("form").serializeArray();
    data[1].value = data[1].value; // data to ajax.php page 
    data = JSON.stringify(data);

    $("#loginButton").html('Login');
    $.ajax({
        type: "POST",
        url: "ajax.php",
        data: {"process": process, "data": data},
        success: function(data) {
            if (data.response.state == "success") {
                // if ajax.php returns success, redirect to homepage or whatever
            } else {
                // if ajax.php returns failure, display error
            }  
        },
        error: function(jqXHR, textStatus, errorThrown, data) {
            // error handling
        },
        dataType: "json"
    });
}

    And the simple ajax.php login:

    <?php // ajax.php

    require_once 'login.php';

    $db_server = mysql_connect($db_hostname, $db_username, $db_password);
    if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
        mysql_select_db($db_database)
    or die("Unable to select database: " . mysql_error());


    if (isset($_SERVER['PHP_AUTH_USER']) &&
        isset($_SERVER['PHP_AUTH_PW'])){
    $un_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_USER']);
    $pw_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_PW']);

        $query = "SELECT * FROM users WHERE username='$un_temp'";
        $result = mysql_query($query);
        if (!$result) die("Database access failed: " . mysql_error());

        elseif (mysql_num_rows($result)){
            $row = mysql_fetch_row($result);
            $salt1 = "qm&h*";
            $salt2 = "pg!@";
            $token = md5("$salt1$pw_temp$salt2");

            if ($token == $row[3]) echo "$row[0] $row[1] :
            Hi $row[0], you are now logged in as '$row[2]'";
                else die("Invalid username/password combination");
        } else die("Invalid username/password combination");
        }else{
            header('WWW-Authenticate: Basic realm="Restricted Section"');
            header('HTTP/1.0 401 Unauthorized');
            die ("Please enter your username and password");
        }
        function mysql_entities_fix_string($string){
            return htmlentities(mysql_fix_string($string));
        }
        function mysql_fix_string($string){
            if (get_magic_quotes_gpc()) $string = stripslashes($string);
            return mysql_real_escape_string($string);
        }

?>
    评论

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度