admin管理员组文章数量:1416307
I send a ajax request with this function:
function myFunc(x)
{
$.ajax({
url: retrive.php,
type: 'POST',
data: 'data=' + x,
success: callback
});
}
I call the function with a integer parameter.for example:
myFunc(20);
myFunc(25);
can a hacker change the parameters of myFunc() ?
If he can, How to prevent change value?
What is the best way to send secure parameter?
** EDIT: **
My javascript codes have a variable called Score.
This variable is incremented by one:
if(condition)
{
Score++;
}
When the game is over, I send variable with Ajax.
And this variable with the game code is stored in the database.
if(game_over)
{
myFunc(20, Score); // game code, score
}
But this values can be changed by a user.(by console of chrome and firebug)
1. What is the solution?
2. What is the name of this type of attack? Is Xss?
I send a ajax request with this function:
function myFunc(x)
{
$.ajax({
url: retrive.php,
type: 'POST',
data: 'data=' + x,
success: callback
});
}
I call the function with a integer parameter.for example:
myFunc(20);
myFunc(25);
can a hacker change the parameters of myFunc() ?
If he can, How to prevent change value?
What is the best way to send secure parameter?
** EDIT: **
My javascript codes have a variable called Score.
This variable is incremented by one:
if(condition)
{
Score++;
}
When the game is over, I send variable with Ajax.
And this variable with the game code is stored in the database.
if(game_over)
{
myFunc(20, Score); // game code, score
}
But this values can be changed by a user.(by console of chrome and firebug)
1. What is the solution?
2. What is the name of this type of attack? Is Xss?
- You must user server side validations for this.. because parameters can always be changed before reaching the server. – Brijesh Bhatt Commented Apr 7, 2015 at 6:44
- Don't worry about client-side code, it's not secured by definition. Make sure your backend is bullet-proof. – dfsq Commented Apr 7, 2015 at 6:45
3 Answers
Reset to default 3Yes, a hacker sure can, and easily too. For example, by using Chrome Developer tools, one can inject or modify your script. As a motivating example, I routinely do this when I order a pizza to have it delivered a little faster ;)
So, you should not rely on JavaScript authentication. Instead, have your server verify or reject the parameters, or use some sort of challenge/accept system between the server and the JavaScript.
Here are some more ideas you can try: Ajax post request security
Can a hacker change the parameters of myFunc() ?
Yes he can.
If he can, How to prevent change value?
You can't prevent it but you can verify the parameters within server side code.
What is the best way to send secure parameter?
What you can do is you can use mcrypt_encrypt() function for encrypting your string or data and while receiving data you can use mcrypt-decrypt() function else you can use your other encoding ways of PHP
You can check PHP mcrypt - Complete encryption and decryption of data
It is the same as to send params via POST or GET over HTML form. Its impossible secure it. You can only use some encrypt method but it is not much secured because on server side you need decrypt it. And in final of this solution, its impossible to encrypt it at 100% secured.
本文标签: javascriptWhat is the best way to send secure parameter in Ajax RequestStack Overflow
版权声明:本文标题:javascript - What is the best way to send secure parameter in Ajax Request? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745254321a2650009.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论