通过Symfony2中的AJAX安全地将参数传递给Controller
[英]Safely pass parameter to Controller via AJAX in Symfony2
问题描述
I've got a question on how to best/safely pass parameters on an ajax request to my controller. 
我对如何最好/安全地将ajax请求中的参数传递给我的控制器有疑问。
I've got these two options within my project using Symfony: 我在使用Symfony的项目中拥有以下两个选项 :
(1) I could pass parameters, like my entity id and a csrf token, via: (1)我可以通过以下方式传递参数,例如我的实体ID和CSRF令牌:
Routing.generate("my_update_route", {'id': entity.id, 'token' : token});
-> benefit of this approach would be, that I could check within my @Route annotation the correct parameter type with requirements: ->这种方法的好处是,我可以在@Route批注中检查符合要求的正确参数类型:
@Route("/account/entity/update/{id}/{token}", name="my_update_route",
requirements={"id" = "\d+", "token" = "[a-z]+"})
-> but is passing the id and a security (csrf) token via this way (Url) the recommended way? ->但是是否建议通过这种方式(Url)传递ID和安全性(csrf)令牌?
Or (2) Passing the variables via the post body, not in the url and I would loose the possibility to check with "requirements" the correct type automatically - but - the values are passed more safely to the server (of course when using https). 或者(2)通过post正文传递变量,而不是通过url传递变量,我将失去自动使用“ requirements”检查正确类型的可能性-但是-值更安全地传递给服务器(当然,使用https时) )。
How do you normally pass your parameters when using AJAX requests? 在使用AJAX请求时,通常如何传递参数? What is the most secure way of doing it? 最安全的方法是什么?
1 个解决方案
解决方案1
0 2015-07-11 23:30:35
You can pass the id and the token via URL without problem. 您可以毫无问题地通过URL传递ID和令牌。
As you said the annotation @Route allow you to check parameters patterns (id => integer and token => string). 如您所说,注解@Route允许您检查参数模式(id =>整数和token =>字符串)。
The token value doesn't necessarily have to be secret as mentioned in this reference . 如本参考资料中所述,令牌值不一定必须是秘密的。
Hope it will help you. 希望对您有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.