开发者

How to keep track of fields on a web-app

开发者 https://www.devze.com 2023-04-09 20:38 出处:网络
Take Facebook\'s reply-to-status as an example. When you replies to someone\'s status, does the script looks into the DOM of that status for the ID of that status, and send an Ajax to update the entry

Take Facebook's reply-to-status as an example. When you replies to someone's status, does the script looks into the DOM of that status for the ID of that status, and send an Ajax to update the entry with that ID?

If that's the case, couldn't you just modify the ID and pollute the data

P.S. as a followup, I've seen a client-side MVC implementation, Backbone.js, that manage things like the above w/o the use of开发者_运维技巧 any ID, which I still haven't figured out how.

http://documentcloud.github.com/backbone/docs/backbone.html

Here is the source, the relevant code 'view' starts at last 1/4


It will still verify that it's a valid id on the server side, that you have permissions to follow up to that user's statuses, etc.


Yes you can, but keep in mind it's all session/friends list/permissions based too.

There are still checks involved on the server regarding "does user A have access to making a comment on user B's action". Assuming you type a bogus ID, it still needs to be verified you can post on the (spoofed) ID.

If you can, you just made a post on a completely separate topic which is now presumably out of context. If you can't the post doesn't go through and no worries.

What it comes down to is that the UI is a "convenience" check. There's not real integrity to validating other than gently guiding the user to travel the correct path. The server is where the real protection is because, as every real programmer knows, the user can not be trusted.

0

精彩评论

暂无评论...
验证码 换一张
取 消