How do I validate ajax delete with PHP
I use ajax to POST a post id and current user id to a URL to delete this post, but i think it's not safe because anyone can post those parameters. How to make sure the user who send this Ajax POST is the 开发者_JAVA技巧post owner?
Don't send the user ID, this should be stored in a session or done securely through cookies.
Once retrieved you can take the post ID, look up the user ID of that post and check they match.
You should use SESSION for this one. UNIQUE id is sent with each your requests. So by this id you can define which user sends delete requests. Read more about http://www.php.net/manual/en/book.session.php
Use PHP to compare what get's posted via AJAX and what's stored in your database. If the values don't match it's an invalid operation.
Edit_: You should also check if the user trying to change the post is currently logged in (via a PHP Session like others are suggesting)
You should use the PHP session to store who is currently logged in. In the script that deletes posts check whether the logged in user is the same as the user who created the post.
With the Ajax post you should have access to their cookies and sessions so you can do any validation you need / would have with a direct form submit. So validate it against that data.
in PHP script put validation. Check it post's user ID and logged in user id(through session or cookie) is matching.
If yes => return true else => return false
精彩评论