您的位置: 首页  >  技术问答  >  ajax security与php包含在根目录安全性中

ajax security与php包含在根目录安全性中

分类: 技术问答 2022-03-18 09:20:34

ajax security与php包含在根目录安全性中

问题描述:

In my opinion, ajax is great in performing request without clicking a link or sending a form. However, I'm worried about its security issue ,or maybe just thinking too much. In ajax, the javascript is viewable to everyone and the php is accessible through web. Would it be possible for the user to direct calling the php script, bypassing htaccess restriction and etc.

There is three option(any suggestion for new option will be appretiated) for me to achieve my goal.

Option A: Page -> clicking button and call ajax -> Display on Page

Option B: Page -> include php file in root directory -> Clicking button to show hidden div(below 10 mysql row) -> Display on page

Option C: Page A -> Clicking button redirect to page B -> include php file in root directory -> show result with multiple page(10+ per page)

Option A will be nice to me however it seems not so secure. Will the answer be same when dueling with overwriting value in mysql table(more security issue have to be concern)?

----------update------------

I'm now using Option C, and using ajax to to accept request, reject request thing base on the result shown on Page B. Still, wondering the security issue of Ajax, to see when will the pro of client+server side scripting of Ajax beat cons of security issue of ajax. Web structure need to be adjusted and improved according to the security issue.

There is nothing to stop someone from looking at your JavaScript code, getting the URL to the AJAX call.

However, if security is a huge issue then look into session variables and the method of storing the value(s). There is file, database and cookie. You do not want php to store session variables in a cookie as these would be accessible to the visitor (they are stored like normal cookies).

Set a session value, when the AJAX request is made then check if the session value is also set. If it is then continue as per normal. If it isn't (and the session could have timed out) then do nothing.

In ajax, the javascript is viewable to everyone and the php is accessible through web. Would it be possible for the user to direct calling the php script,

Yes, it is just an HTTP request

bypassing htaccess restriction and etc.

Not if you put the same restrictions on the URL you hit with the Ajax request as for the other pages you want to secure.

相关推荐