stackoom
  简体   繁体   中英

What is the best way to send secure parameter in Ajax Request?

 原文  2015-04-07 06:42:48       javascript/ php/ jquery/ code-injection

Question

I send a ajax request with this function: 

function myFunc(x)
{
    $.ajax({
        url: retrive.php,
        type:     'POST',
        data:     'data=' + x,
        success:  callback
    });
}

I call the function with a integer parameter.for example: 

myFunc(20);
myFunc(25);

can a hacker change the parameters of myFunc() ?
If he can, How to prevent change value?
What is the best way to send secure parameter?

** EDIT: **

My javascript codes have a variable called Score.
This variable is incremented by one: 

if(condition)
{
    Score++;
}

When the game is over, I send variable with Ajax.
And this variable with the game code is stored in the database. 

if(game_over)
{
    myFunc(20, Score); // game code, score
}

But this values can be changed by a user.(by console of chrome and firebug)
1. What is the solution?
2. What is the name of this type of attack? Is Xss?

3 answers

solution1
 3  2015-04-07 06:44:35

Yes, a hacker sure can, and easily too. For example, by using Chrome Developer tools, one can inject or modify your script. As a motivating example, I routinely do this when I order a pizza to have it delivered a little faster ;)

So, you should not rely on JavaScript authentication. Instead, have your server verify or reject the parameters, or use some sort of challenge/accept system between the server and the JavaScript.

Here are some more ideas you can try: Ajax post request security

solution2
 2  2015-04-07 06:53:23

Can a hacker change the parameters of myFunc() ?

Yes he can.

If he can, How to prevent change value?

You can't prevent it but you can verify the parameters within server side code.

What is the best way to send secure parameter?

What you can do is you can use mcrypt_encrypt() function for encrypting your string or data and while receiving data you can use mcrypt-decrypt() function else you can use your other encoding ways of PHP

You can check PHP mcrypt - Complete encryption and decryption of data

solution3
 1  

It is the same as to send params via POST or GET over HTML form. Its impossible secure it. You can only use some encrypt method but it is not much secured because on server side you need decrypt it. And in final of this solution, its impossible to encrypt it at 100% secured.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What is the best and most secure way to encrypt Ajax data? What is the best practice way to send control signals back to the client from ajax request? What is the secure way to send javascript code as a POST Request? What is the best way to send an object as a query parameter of a browser url in javascript What is the best way to send a GET request to the server in vanilla JavaScript? What's the best way to retry an AJAX request on failure using jQuery? What is the best way to secure a javascript environment? What is the secure way to include password in axios request? How to send xml tag as parameter in ajax request? Send multiple parameter in ajax request using javascript
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM