自动建议脚本的jQuery Ajax安全
[英]jQuery Ajax security for auto suggest script
问题描述
I am working on some auto-suggest feature. 
我正在研究一些自动建议功能。
The script is fairly itself. 该脚本本身就是。 When a character is typed in to the textbox it sends a ajax post (or get) request to the php file which queries the database and returns a result set. 当在文本框中键入字符时,它会向php文件发送ajax发布(或获取)请求,该请求会查询数据库并返回结果集。
But the problem is that the php file is accessible on its own. 但是问题是该php文件可以单独访问。 So it can be called directly. 因此可以直接调用。 Is there a way to prevent this and make that php file to serve only the ajax request on my application. 有没有一种方法可以防止这种情况,并使该php文件仅在我的应用程序上提供ajax请求。
Thanks in advance. 提前致谢。
2 个解决方案
解决方案1
0 已采纳 2010-02-25 00:50:37
No, there isn't. 不,没有。 If your script can be requested, it can be requested by anything. 如果可以请求您的脚本,那么任何东西都可以请求它。 It is possible to differentiate ajax requests from normal ones by testing for the x-requested-with header and responding accordingly, that is, if it does not contain the value XMLHTTPRequest you simply exit() the script. 通过测试x-requested-with标头并做出相应的响应,可以将ajax请求与普通请求区分开来,也就是说,如果它不包含XMLHTTPRequest值,则只需exit()脚本即可。 However, headers can always be spoofed. 但是,标题始终可以被欺骗。 So no, you can't. 所以不,你不能。
解决方案2
0 2010-02-25 00:52:41
No. Anyone can look at your .php and stuff.. 否。任何人都可以查看您的.php和其他内容。
The best you can do is protect yourself from SQL injection, and thats about it. 您能做的最好的事情就是保护自己免受SQL注入的困扰,仅此而已。
There is no foolproof way to do what you want to do. 没有万无一失的方式来做您想做的事。
**By the way, if someone is actually actively polling your .php nonstop in his/her application, you could probably contact that person's host to terminate his/her account. **顺便说一句,如果有人实际上正在他/她的应用程序中不间断地轮询您的.php,则您可能会联系该人的主机以终止其帐户。 Just saying. 只是说。 ** **
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.