javascript - Security of ajax vs regular form data - Stack Overflow

admin管理员组

文章数量:1279009

Just wondering on the difference in security of

<input type="hidden" name="id" value="<?php echo $id; ?>">

vs.

jQuery(this).ajaxSubmit({
data: { id: '<?php echo $id; ?> }
});

when sending form data. Is one method more vulnerable to hacking than the other? What is the best way to securely send form data so outsiders can't tamper with or change the id number?

Just wondering on the difference in security of

<input type="hidden" name="id" value="<?php echo $id; ?>">

vs.

jQuery(this).ajaxSubmit({
data: { id: '<?php echo $id; ?> }
});

when sending form data. Is one method more vulnerable to hacking than the other? What is the best way to securely send form data so outsiders can't tamper with or change the id number?

• javascript
• ajax
• forms

Share Improve this question Follow edited Dec 24, 2015 at 23:49 Brian Tompsett - 汤莱恩 5,8937272 gold badges6161 silver badges133133 bronze badges asked Jul 22, 2013 at 19:38 Marlboro GoodluckMarlboro Goodluck 29911 gold badge44 silver badges1212 bronze badges

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 7

There is no difference in the security. In both cases, an HTTP POST request is sent to the server and a response is received from the server. Aside from perhaps some headers in the request, the server doesn't even really know or care what the difference is between the two.

To illustrate, take a look at the Network requests in your browser debugging tools (Firebug or Chrome tools) when submitting a regular form POST and an AJAX POST. The two are very close to identical, save for the browser maybe adding another header or two for the AJAX one.

What is the best way to securely send form data so outsiders can't tamper with or change the id number?

There isn't. Any savvy user can manually craft an HTTP POST request to include any data they want. Browsers these days even have handy tools to help with this for development and debugging purposes. The general rule is for the server-side code to never implicitly trust requests sent from a client. Always validate that the user has access to do what they're trying to do, that the data isn't malicious or is otherwise properly sanitized before using it (particularly in database queries as a mon example), and so on.

Essentially there is no difference from a security standpoint. In both circumstances it is trivial for someone to see the id, and in both circumstances it is trivial for someone to construct their own request to your API.

The way to make your forms secure is to make sure that everything is always validated on the server. While adding things like form validation on the client side can make for a better user experience, it isn't security. You should always assume that your server can receive invalid and malicious data in requests and take that into account.

Form vs AJAX doesn't make a difference. What makes a difference is if you're using GET or POST and if you're using HTTPS or HTTP.

If you don't want your data tampered with, you should use HTTPS and POST instead of GET or non-encrypted HTTP POST. See this for a parison of GET vs POST. Get will create a querystring, which is part of the URL, that has the data in it and the URL is visible to sniffers even if you're using HTTPS.

If you use POST, the posted message contains your data so sniffing will only see the URL, which won't reveal the ID, but they won't be able to see the ID being posted to the server so they can't temper with it.

本文标签： javascriptSecurity of ajax vs regular form dataStack Overflow