I've got a question on how to best/safely pass parameters on an ajax request to my controller.
我有一个关于如何最好/安全地将ajax请求的参数传递给我的控制器的问题。
I've got these two options within my project using Symfony:
我使用Symfony在我的项目中有这两个选项:
(1) I could pass parameters, like my entity id and a csrf token, via:
(1)我可以通过以下方式传递参数,例如我的实体ID和csrf标记:
Routing.generate("my_update_route", {'id': entity.id, 'token' : token});
-> benefit of this approach would be, that I could check within my @Route annotation the correct parameter type with requirements:
- >这种方法的好处是,我可以在我的@Route注释中检查带有要求的正确参数类型:
@Route("/account/entity/update/{id}/{token}", name="my_update_route",
requirements={"id" = "\d+", "token" = "[a-z]+"})
-> but is passing the id and a security (csrf) token via this way (Url) the recommended way?
- >但是通过这种方式(Url)推荐的方式传递id和安全(csrf)令牌?
Or (2) Passing the variables via the post body, not in the url and I would loose the possibility to check with "requirements" the correct type automatically - but - the values are passed more safely to the server (of course when using https).
或者(2)通过帖子体传递变量,而不是在URL中传递变量,我将无法自动检查“需求”的正确类型 - 但是 - 值更安全地传递到服务器(当然使用https时) )。
How do you normally pass your parameters when using AJAX requests? What is the most secure way of doing it?
在使用AJAX请求时,您通常如何传递参数?这样做最安全的方法是什么?
1 个解决方案
#1
0
You can pass the id and the token via URL without problem.
您可以通过URL传递id和令牌而不会出现问题。
As you said the annotation @Route allow you to check parameters patterns (id => integer and token => string).
正如您所说,注释@Route允许您检查参数模式(id => integer和token => string)。
The token value doesn't necessarily have to be secret as mentioned in this reference.
如本参考文献中所述,令牌值不一定必须是秘密的。
Hope it will help you.
希望它会对你有所帮助。
#1
0
You can pass the id and the token via URL without problem.
您可以通过URL传递id和令牌而不会出现问题。
As you said the annotation @Route allow you to check parameters patterns (id => integer and token => string).
正如您所说,注释@Route允许您检查参数模式(id => integer和token => string)。
The token value doesn't necessarily have to be secret as mentioned in this reference.
如本参考文献中所述,令牌值不一定必须是秘密的。
Hope it will help you.
希望它会对你有所帮助。