开发者

hack proof html coding with ajax

问答 作者:

I have many lists e.g. a todo list, a shopping list etc. on my web page. I am using AJAX to add or delete the items. For example, for a todo list my HTML is like:

<tr id="todo_user开发者_如何学JAVAttypea_23"> <td>name</td><td>Delete</td></tr>

Note if the users press delete then I am deleting that row.

I get the id of the row and then break it to find which operation to perform and which id to delete.

But the I have found that if I use firebug then I can change the id dynamically to any number and I have found that it is possible to delete any id, even if does not belong to that user, by editing the HTML.

What should I do to prevent this?

The main principle is "never trust incoming data". Any data you get sent from outside can be manipulated - Parameters, Headers, Referers, everything. A good and safe system does not trust any of these.

If you have multiple users working on the same data base, you will probably need to implement an authorization system that defines clearly who is allowed to do what to which record.

That is usually done using a session-based login system of some sort, based on one of the scripting languages like PHP, Ruby, ASP or Perl. There are pre-built solutions available.

I think you are confusing Javascript functionality with security. If your user is not allowed to delete AuntMarysShoppingList#32, then the server shouldn't let him no matter what the client requests.

You can obfuscate your JS code, but on some level, you have to assume your user is an honest broker, and isn't going to go out of their way to delete something (the hard way, by hacking JS) that they have the rights to delete anyway.

You need to add Authorization checking on the server side. Whether the request is ajax or otherwise is irrelevant.

Perhaps you should check to see, on a delete ajax request, whether the user doing the deletion is permitted to delete the item.

You basically need something like this on the server-side:

if (itemBelongsToUser(itemId, currentUserId)) {
    deleteItem(itemId);
}

继续阅读:dhtmljavascriptjquery

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9