Only Allow jquery to load certain pages_问答_开发者

开发者 https://www.devze.com 2023-01-08 23:56 出处：网络

Sorry if this has been asked already, I\'ve did a google search and couldn\'t find the answer. I am new to jquery and I am wondering how to prot开发者_高级运维ect my backend pages from being loaded b

相关专题：jquery php

Sorry if this has been asked already, I've did a google search and couldn't find the answer.

I am new to jquery and I am wondering how to prot开发者_高级运维ect my backend pages from being loaded by external users?

For example, if my jquery .post or .get calls "delete-post.php" I only want the jquery to be able to load that page. I don't want some John Doe user realizing he can post data from his own form to delete-post.php and delete whatever he wants, or calling delete-post.php?id=whatever_id_he_wants.

I hope this makes sense? Like I said I am new to jQuery and am wondering about security.

About the only thing you can do, and something that you should be doing anyway, is checking that a user is logged in and is authorized to delete a post. You do this on the delete-post.php script by checking session variables.

The problem here isn't with jQuery or AJAX, if this were a normal static form, the user would still be able to figure out how to post to this delete-post.php page anyway.

Hope this helps.

Edit: And welcome to SO. :)

You have to validate your input on the server-side. Javascript is not capable of protecting you here. In your delete-post.php file, you should do multiple checks to make sure an authorized user on your site is calling the script and you could use some sort of unique validation key to authorize the action.

You can check if the incoming request is of the xhttp/ajax sort, but this will only tell you how the post was made. You will need to set up at least the basics of an authenticated session in order to determine if a user has the authorization to delete a post. That authority will carry over into the ajax requests.

If you are looking for something really quick and dirty, consider simple http basic access authentication, or if it is for you alone to moderate, a hard coded IP wouldn't be the worst situation you could be in.

In any event, you can't really do any sort of user verification on the client side like you want because it is too easily spoofed.

You should look into using security tokens (also called a 'nonce' which is an interesting choice of terminology if you happen to be a Brit).

A nonce is designed to ensure that any request originated from where you expected it to originate from.

Have a read through this guide (all of it! But the bit that's particularly relevant to this question is the bit about CSRF exploits) to see a simple implementation of this concept: http://php.robm.me.uk/

As an aside, never ever EVER do anything destructive using a GET request. Ever. Cardinal rule. Always use POST. In fact some also consider it good practice to never actually delete anything from the application, only direct from the database - just set a check for 'deleted' to perform a soft deletion instead. But that's not directly relevant to this question, of course. :-)