开发者

How to make sure that a variable is posted from a specific JavaScript page in PHP

开发者 https://www.devze.com 2023-02-13 20:26 出处:网络
There are tasks that can only be done by JavaScript. My problem is that after doing the task from JavaScript, the JavaScript code has to send the variables to a PHP page and, from my knowledge, it c

There are tasks that can only be done by JavaScript.

My problem is that after doing the task from JavaScript, the JavaScript code has to send the variables to a PHP page and, from my knowledge, it can only be done by post, get, and cookie which means that a user can possibly fake the variable and submit it.

I 开发者_如何学JAVAwant to make sure that the variables the PHP page receives is from the JavaScript page. No luck so far. What is the solution?


You're right, this is certainly a problem.

Whitelisting/validating the input from the client could solve some of your problems, by making sure that the value is at least within a certain range of acceptable values.

What specifically is your use case that you're concerned about? Perhaps we could help you more if we knew more about your scenario.


We could help you better if you would describe your specific scenario and what kind of data input you need to avoid.

In general you should always try to validate data on the client (JavaScript) just to provide a better feedback to the user (like highlighting a required form field left blank). Consider this to be just as a courtesy for the user.

Regardless of that you should never trust the data coming from the browser and do all the security relevant validation on the server and don't care what kind of client software has been used to collect that data (being that your JavaScript code or some hard coded GET/POST data).


As the other answers have stated whitelisting is really the only thing you can do -- If someone is deliberately attacking your website there is no requirement that any content you get is valid.

No amount of client side validation or cookies works either as an attacker does not need to use a browser to do Bad Things.


You can generate an authenticity token when serving your page. Then check that the response contains the same authenticity token. A la rails.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号