堆栈内存溢出
  简体   繁体   English

如何避免登录用户通过控制台使用ajax?

[英]how to avoid logged users to use ajax by console?

 原文  2019-07-27 22:00:48       javascript/ ajax/ security/ websecurity

问题描述

Im using this ajax function to insert a product from an eccommerce site into the database.我使用这个 ajax 函数将一个电子商务网站的产品插入到数据库中。

I see that this method is very insecure, some experienced users with programming knowledge can use this ajax and insert products , or something else.我看这个方法很不安全,一些有编程知识的有经验的用户可以用这个ajax,插入产品,或者别的什么。

I read in others post that propose as a solution to use hidden input fields with a token, but as I said some experienced users with programming knowledge will find it.我在其他帖子中读到建议作为使用带有令牌的隐藏输入字段的解决方案,但正如我所说,一些具有编程知识的经验丰富的用户会找到它。

Is there some REAL way to make this "add product" function secure without refreshing the page in every insert?是否有一些真正的方法可以使这个“添加产品”功能安全,而无需在每个插入中刷新页面?

$(document).on('click','#save',function(e) {
      var vidArt = $(".imagepreview").attr('value');

      $.ajax({
             data: {idArt: vidArt},
             type: "POST",
             url: "classes/add_to_cart.php",
             success: function(data){

             }
    });
 });

1 个解决方案

解决方案1
 6  2019-07-27 22:05:03

It doesn't matter if you design your API to be used by Ajax or by whole new page loads. 设计您的API是由Ajax还是由整个新页面加载使用都没有关系。 An HTTP request is an HTTP request and people can make whatever HTTP requests they like. HTTP请求是HTTP请求,人们可以发出自己喜欢的任何HTTP请求。

There is no way to ensure that an HTTP request comes from code you have written. 无法确保HTTP请求来自您编写的代码。

However, that should not matter. 但是,这无关紧要。 If you are going to let the user add_to_cart using the user interface you designed, why worry if they add_to_cart using a user interface they designed? 如果要让用户使用您设计的用户界面add_to_cart,为什么还要担心他们是否使用其设计的用户界面add_to_cart?

If you want to impose restrictions (such as "Only products with an X in the name can be added") then impose those restrictions using your server-side code and not the user interface. 如果要施加限制(例如“只能添加名称中带有X的产品”),请使用服务器端代码而不是用户界面来施加这些限制。

解决方案2
 -4  2019-07-27 22:08:58

u can detect console is open: 您可以检测到控制台已打开: 

function isConsoleOpen(){
if((window.outerWidth - window.innerWidth)>100){return true;}
if((navigator.platform=="Win32")&&(navigator.userAgent.indexOf("Windows ")==-1)){return true;}else{return false;}

} }

Github JS Interface Github JS接口

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 避免登录用户访问index.php - Avoid Logged in users to access index.php 如何使用instafeed.js来登录用户图像 - How to use instafeed.js to get logged in users images 运行AJAX检索登录用户返回未定义 - Running AJAX to retrieve logged in users is returning undefined 用户未登录时阻止AJAX调用 - Prevent AJAX calls when users are not logged in 如何在 django 中使用 ajax 以及如何避免此类错误? - how to use the ajax in django and how to avoid this kind of errors? 使用jQuery ajax()时如何避免将网站网址作为变量 - How to avoid website url as variable when use jQuery ajax() Ajax Get已登录控制台,但不会打印到页面 - Ajax Get is logged in console but won't print to page 如何执行计时器变量并将Fired记录到控制台? - how is timer variable executed and Fired logged to console? 如何在 javascript 中获取和存储控制台记录值 - How to get and store the console logged value in javascript 如何使使用Parse登录的用户可以看到网页? - How to make webpage viewable to users logged in with Parse?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM