I know this question must've been asked various times here but I have not found a solution from all links I could search for. I don't understand how to do this.
我知道这个问题肯定在这里被问过很多次了,但是我还没有找到我能找到的所有链接的答案。我不知道怎么做。
I have a form, with 2 textboxes and 1 submit button. The form name is 'form1'
我有一个表单,有两个文本框和一个提交按钮。表单名称为'form1'
here is what I was using till now:
这是我现在使用的:
<script type="text/javascript">
$("#form1").submit(function() {
$.ajax({
type: 'GET',
url: 'response.php',
data: {1: $("#txt1").val(), 2: $("#txt2").val()},
success: function (data) {
$("#update").prepend(data);
},
error: function (xhr, ajaxOptions, thrownError) {
alert(thrownError);
}
});
});
</script>
'update' is a table.
“更新”是一个表。
I am adding a new row to it after the data is parsed in response.php.
在response.php中解析数据之后,我向它添加了一个新的行。
Now, the problem is, using AJAX for this is not at all secure. Users can use plugins such as 'Tamper Data' for firefox to mess with these and send any data they want regardless of what they entered. Thus, making me vulnerable to XSS and CSRF attacks.
现在的问题是,使用AJAX实现这一点并不安全。用户可以使用像“篡改数据”这样的插件来处理这些数据,并发送任何他们想要的数据,而不管他们输入的是什么。因此,我很容易受到XSS和CSRF攻击。
So I tried a different approach, I set the form's action to response.php.
我尝试了另一种方法,将表单的动作设置为response.php。
Now, there are 2 problems in doing that:
这样做有两个问题:
-
The page refreshes.
页面刷新。
-
How can I make the table row prepend via PHP that too in another document? Earlier I was just echoing it and then AJAX prepended the data for me.
如何通过PHP在另一个文档中设置表行前置?之前,我只是重复了一下,然后AJAX为我预置了数据。
3 个解决方案
#1
3
To make things clear: There is no other way than "refreshing" or AJAX.
澄清一下:除了“刷新”或AJAX之外没有其他方法。
You should stick to AJAX. To amend your security concerns, you can add a token to the form, which is only valid for this user (saved in his session on login). Therefore noone else can send data in his name and thus eliminiating the risk for XSS and CSRF.
您应该坚持使用AJAX。要修改安全性问题,可以向表单添加一个令牌,该令牌仅对该用户有效(登录时保存在其会话中)。因此,没有其他人可以以他的名义发送数据,从而为XSS和CSRF的风险提供了帮助。
You need to transmit that token in your AJAX request and check it in response.php.
您需要在AJAX请求中传输这个令牌,并在response.php中检查它。
Validation in response.php:
在response.php验证:
Escape everything which goes into your database. mysql_real_escape_string or PDO will help you with that.
转义进入数据库的所有内容。mysql_real_escape_string或PDO将帮助您实现这一点。
When you output userdata somewhere in your page use htmlspecialchars().
当您在页面的某个地方输出用户数据时,使用htmlspecialchars()。
You might also consider strip_tags() before saving or printing any values.
您还可以在保存或打印任何值之前考虑strip_tags()。
#2
0
Since you're submitting a form request, you should be using POST instead.
既然您提交了一个表单请求,那么您应该使用POST代替。
Secondly, ajax post is no less secure than a regular post so you should not be worried.
第二,ajax post和普通post一样安全,所以您不必担心。
Third, if you're worrying about someone sniffing your network. Have your website use HTTPs instead.
第三,如果你担心有人在嗅探你的网络。让你的网站改用HTTPs。
To prevent XSS attacks, you should be modifying your data before printing it to the end user using something like htmlentities.
为了防止XSS攻击,您应该在使用htmlentities之类的东西将数据打印到最终用户之前修改数据。
To prevent sql injections, I would suggest using PDO or atleast escape your userinput before.
为了防止sql注入,我建议使用PDO或至少在之前转义用户输入。
#3
0
Removing AJAX isn't the solution to solve XSRF and XSS vulnerabilities. Instead you should use form tokens, two step forms, etc to prevent this.
删除AJAX并不是解决XSRF和XSS漏洞的解决方案。相反,您应该使用表单标记、两步表单等来防止这种情况。
Using session tokens isn't very hard - you just have to generate a token for each form, save them on the server and compare the send token with them on the server. To be really secure, you should generate a token for each form, but you could also use a token for each session.
使用会话令牌并不难——您只需为每个表单生成一个令牌,将它们保存在服务器上,并将发送令牌与服务器上的令牌进行比较。为了真正的安全,应该为每个表单生成一个令牌,但也可以为每个会话使用一个令牌。
Btw. XSS isn't a problem of ajax or some form posts - it's a problem of not escaping malificious output. htmlentities and stuff like this, should help you.
顺便说一句。XSS不是ajax或某些表单发布的问题——这是一个无法摆脱恶性输出的问题。htmlentities和类似的东西,应该会帮助您。
#1
3
To make things clear: There is no other way than "refreshing" or AJAX.
澄清一下:除了“刷新”或AJAX之外没有其他方法。
You should stick to AJAX. To amend your security concerns, you can add a token to the form, which is only valid for this user (saved in his session on login). Therefore noone else can send data in his name and thus eliminiating the risk for XSS and CSRF.
您应该坚持使用AJAX。要修改安全性问题,可以向表单添加一个令牌,该令牌仅对该用户有效(登录时保存在其会话中)。因此,没有其他人可以以他的名义发送数据,从而为XSS和CSRF的风险提供了帮助。
You need to transmit that token in your AJAX request and check it in response.php.
您需要在AJAX请求中传输这个令牌,并在response.php中检查它。
Validation in response.php:
在response.php验证:
Escape everything which goes into your database. mysql_real_escape_string or PDO will help you with that.
转义进入数据库的所有内容。mysql_real_escape_string或PDO将帮助您实现这一点。
When you output userdata somewhere in your page use htmlspecialchars().
当您在页面的某个地方输出用户数据时,使用htmlspecialchars()。
You might also consider strip_tags() before saving or printing any values.
您还可以在保存或打印任何值之前考虑strip_tags()。
#2
0
Since you're submitting a form request, you should be using POST instead.
既然您提交了一个表单请求,那么您应该使用POST代替。
Secondly, ajax post is no less secure than a regular post so you should not be worried.
第二,ajax post和普通post一样安全,所以您不必担心。
Third, if you're worrying about someone sniffing your network. Have your website use HTTPs instead.
第三,如果你担心有人在嗅探你的网络。让你的网站改用HTTPs。
To prevent XSS attacks, you should be modifying your data before printing it to the end user using something like htmlentities.
为了防止XSS攻击,您应该在使用htmlentities之类的东西将数据打印到最终用户之前修改数据。
To prevent sql injections, I would suggest using PDO or atleast escape your userinput before.
为了防止sql注入,我建议使用PDO或至少在之前转义用户输入。
#3
0
Removing AJAX isn't the solution to solve XSRF and XSS vulnerabilities. Instead you should use form tokens, two step forms, etc to prevent this.
删除AJAX并不是解决XSRF和XSS漏洞的解决方案。相反,您应该使用表单标记、两步表单等来防止这种情况。
Using session tokens isn't very hard - you just have to generate a token for each form, save them on the server and compare the send token with them on the server. To be really secure, you should generate a token for each form, but you could also use a token for each session.
使用会话令牌并不难——您只需为每个表单生成一个令牌,将它们保存在服务器上,并将发送令牌与服务器上的令牌进行比较。为了真正的安全,应该为每个表单生成一个令牌,但也可以为每个会话使用一个令牌。
Btw. XSS isn't a problem of ajax or some form posts - it's a problem of not escaping malificious output. htmlentities and stuff like this, should help you.
顺便说一句。XSS不是ajax或某些表单发布的问题——这是一个无法摆脱恶性输出的问题。htmlentities和类似的东西,应该会帮助您。