在Symfony2中通过AJAX安全地将参数传递给Controller

时间:2022-09-15 19:11:52

I've got a question on how to best/safely pass parameters on an ajax request to my controller.

我有一个关于如何最好/安全地将ajax请求的参数传递给我的控制器的问题。

I've got these two options within my project using Symfony:

我使用Symfony在我的项目中有这两个选项:

(1) I could pass parameters, like my entity id and a csrf token, via:

(1)我可以通过以下方式传递参数,例如我的实体ID和csrf标记:

Routing.generate("my_update_route", {'id': entity.id, 'token' : token});

-> benefit of this approach would be, that I could check within my @Route annotation the correct parameter type with requirements:

- >这种方法的好处是,我可以在我的@Route注释中检查带有要求的正确参数类型:

@Route("/account/entity/update/{id}/{token}", name="my_update_route", 
        requirements={"id" = "\d+", "token" = "[a-z]+"})

-> but is passing the id and a security (csrf) token via this way (Url) the recommended way?

- >但是通过这种方式(Url)推荐的方式传递id和安全(csrf)令牌?

Or (2) Passing the variables via the post body, not in the url and I would loose the possibility to check with "requirements" the correct type automatically - but - the values are passed more safely to the server (of course when using https).

或者(2)通过帖子体传递变量,而不是在URL中传递变量,我将无法自动检查“需求”的正确类型 - 但是 - 值更安全地传递到服务器(当然使用https时) )。


How do you normally pass your parameters when using AJAX requests? What is the most secure way of doing it?

在使用AJAX请求时,您通常如何传递参数?这样做最安全的方法是什么?

1 个解决方案

#1


0  

You can pass the id and the token via URL without problem.

您可以通过URL传递id和令牌而不会出现问题。

As you said the annotation @Route allow you to check parameters patterns (id => integer and token => string).

正如您所说,注释@Route允许您检查参数模式(id => integer和token => string)。

The token value doesn't necessarily have to be secret as mentioned in this reference.

如本参考文献中所述,令牌值不一定必须是秘密的。

Hope it will help you.

希望它会对你有所帮助。

#1


0  

You can pass the id and the token via URL without problem.

您可以通过URL传递id和令牌而不会出现问题。

As you said the annotation @Route allow you to check parameters patterns (id => integer and token => string).

正如您所说,注释@Route允许您检查参数模式(id => integer和token => string)。

The token value doesn't necessarily have to be secret as mentioned in this reference.

如本参考文献中所述,令牌值不一定必须是秘密的。

Hope it will help you.

希望它会对你有所帮助。