使用Ajax提交表单是否安全?
[英]Would submitting a form using Ajax be secure?
问题描述
So I have my form built in html and validated in JS and it does and looks the way I want. 
所以我的表单是用html构建的,并在JS中验证,它看起来像我想要的那样。 Now obviously I will be validating the input using PHP on the server side but I'm wondering if it would be secure enough to submit the form using Ajax and then validating on the server side, instead of submitting the form using a 'submit' type button and an 'action' attribute. 现在显然我将在服务器端使用PHP验证输入,但我想知道它是否足够安全,使用Ajax提交表单然后在服务器端验证,而不是使用'submit'类型提交表单按钮和'动作'属性。 Basically, is it safe to make server side validation dependent on the JS submitting it? 基本上,使服务器端验证依赖于JS提交它是否安全?
Here is my form: 这是我的表格:
<form name="contactForm" id="contactForm"><!-- The form has no action attribute because its submitted via Ajax -->
<div id="inputsWrapper">
<div>
<label for="fullName">Your Name: <span class="required">(required)</span></label>
<input type="text" name="fullName" id="fullName" title="First & last name" value="First & last name" maxlength="50" />
</div>
<div>
<label for="email">Your E-mail: <span class="required">(required)</span></label>
<input type="text" name="email" id="email" title="E-mail address" value="E-mail address" maxlength="500" />
</div>
<div>
<label for="subject">In Regards To: <span class="required">(required)</span></label>
<input type="text" name="subject" id="subject" title="Subject" value="Subject" maxlength="50"/>
</div>
<div>
<label for="message">Your Message: <span class="required">(required)</span></label>
<textarea name="message" id="message" title="Enter your message here" cols="40" rows="10">Enter your message here</textarea>
</div>
</div> <!-- End inputsWrapper -->
<input type="button" name="sendBtn" id="sendBtn" value="Send Message" /><!-- This button has a listener assigned to it in JS and submits the form on click -->
Once the button is clicked, the Ajax will submit the form via POST to my PHP script and either come back valid or not. 单击按钮后,Ajax将通过POST将表单提交到我的PHP脚本,并返回有效与否。 Would this be a safe way of doing this or not? 这是否是一种安全的方式来做到这一点? Thank you for any advice. 谢谢你的任何建议。
2 个解决方案
解决方案1
5 2012-07-26 08:34:00
Posting it through Ajax or through the browsers default form posting behaviour will not make a difference from a security perspective. 通过Ajax或通过浏览器默认表单发布行为发布它不会从安全角度来看有所不同。 The requests will both be regular HTTP POST/GET requests. 请求将是常规HTTP POST / GET请求。
解决方案2
5 已采纳 2012-07-26 08:37:20
I'm wondering if it would be secure enough to submit the form using Ajax and then validating on the server side, instead of submitting the form using a 'submit' type button and an 'action' attribute.
Yes. 是。 Input from outside the system is input from outside the system. 系统外部的输入是从系统外部输入的。
Basically, is it safe to make server side validation dependent on the JS submitting it?
Your JavaScript should be unobtrusive and implement progressive enhancement . 您的JavaScript应该是不引人注目的并实现渐进增强 。
The input to the script should be the same no matter if it came from a regular form submission of with Ajax (which is trivially easy if you use something like jQuery's serialize ), so there you shouldn't need to make the server depend on the JS for the response. 对于脚本的输入应该是相同的,无论它是来自Ajax的常规表单提交(如果你使用像jQuery的序列化这样很容易),所以你不应该让服务器依赖于JS的回应。
The only difference in how a form submission and an Ajax request is handled should be the formatting of the response. 表单提交和Ajax请求的处理方式的唯一区别应该是响应的格式。
Either way, the data coming into the system is ultimately under the control of the submitter so you need to perform suitable sanity checking and escaping of it either way. 无论哪种方式,进入系统的数据最终都在提交者的控制之下,因此您需要执行适当的健全性检查并以任何方式转义它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.