stackoom
  简体   繁体   中英

Best way to pass sensitive variables on click event?

 原文  2014-05-11 14:24:53       javascript/ php/ jquery/ variables/ button

Question

I am looking for a secure way of passing sensitive variables to a php file via ajax. At the moment i have been using data attributes but the values can be changed using something like firebug.

HTML: 

<div class="strip">
    <?php
        if($hide == 0) {
            echo '<h2 class="action" data-type="1" data-id="<?php echo $id; ?>" data-action="0">Hide Business</h2>';
        }
        if($hide == 1) {
            echo '<h2 class="action" data-type="1" data-id="<?php echo $id; ?>" data-action="1">Un-Hide Business</h2>';
        }
    ?>
    <h2 class="action" data-type="1" data-id="<?php echo $id; ?>" data-action="2">Delete Business</h2>
</div>

JavaScript/JQuery: 

$(".action").click(function() {
    var type = $(this).data("type");
    var id = $(this).data("id");
    var action = $(this).data("action");

    $.ajax({
        url : 'assets/php/confirm.php',
        type : 'POST',
        data : "type="+type+"&action="+action+"&ids="+id,
        success : function (result) {
            alert(result);
        }
    });
});

PHP: 

if(isset($_POST['type'], $_POST['action'], $_POST['ids'])) {
    $type = $_POST['type'];
    $action = $_POST['action'];
    $ids = explode(",", $_POST['ids']);
    $count = count($ids);

    if($type == 0) {
        if($action == 1) {
            $stmt = $mysqli->prepare("DELETE FROM deals WHERE id=?");
        } else {
            $stmt = $mysqli->prepare("UPDATE deals SET hide=0 WHERE id=?");
        }
    } else {
        if($action == 1) {
            $stmt = $mysqli->prepare("DELETE FROM businesses WHERE id=?");
        } else {
            $stmt = $mysqli->prepare("UPDATE businesses SET hide=0 WHERE id=?");
        }
    }

    for($i = 0; $i < $count; $i++) {
        $stmt->bind_param('s', $ids[$i]);
        $stmt->execute();
        $stmt->close();
    }
    echo 'Success updated '.$_POST['ids'];
}

The variables that need to be secure are the data-type, data-id, data-action values. Reason being i dont want the wrong database entries being deleted. I dont know of any alternatives, so any help would be great.

2 answers

solution1
 1 ACCPTED  2014-05-11 14:27:11

If you want to stop the user changing them, then you can't get them from the user at all. Store the data on the server instead.

If you want to limit what values you'll accept from the user, then limit them on the server. Perform authentication and authorization. Make sure the values being changed are ones the logged in user is allowed to change.

solution2
 0  2014-05-11 14:28:54

由于无法隐藏客户端(浏览器内部)上的代码,因此应确保客户端与Web服务器之间的连接安全-为此请使用SSL / TSL ...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Best way to pass variables between controllers What is the best way to toggle a click event in javascript? What is the best way to deactivate a click event from an What is the best way to pass global config variables to handlebars template? Best way to pass variables into callback functions in Node.js What is the best way to pass flask variables directly to vue? What is the best way to pass server side variables to JavaScript on the client side? best way to pass multiple variables to diiferent pages without ajax Best way to protect sensitive information copying in HTML? Best way to handle click and clickOutside event execution precedence in Angular 2?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM