security - How can I better protect my php, jquery, ajax requests from malicious users -

-

i send lot of data through jquerys getjson method, example of function is

function dosomething(sid){     if(sid){      $.getjson("ajax/ajaxdosomething.php",{sid:""+sid+""}, function(data){         //alert(data);         if(data.success == true){             $('#add_vote_div').html('vote received');             $('#list_data_div').html(data.html);         }         else{             $('#add_vote_div').html(data.message);         }     });   }  }`

the problem can @ source , see location of php file sending data to, therefore point browser there , append data url. checks on data make sure right data type, dont want users able go url @ all.

i thought maybe put ajax files behind main document root work jquery can't link absolute paths like

$.getjson("var/www/ajax/dosomething.php",{sid:""+sid+""}

(main document root var/www/html/)

if made $.postjson work better, doesn't exist, ideas?

it raises bar hacking slightly, can post json via jquery.ajax (that's link) or jquery.post (so's that). jquery.getjson wrapper ajax (as .post, , .get). getjson docs:

this shorthand ajax function, equivalent to:

$.ajax({     url:      url,     datatype: 'json',     data:     data,     success:  callback });

thus, postjson concept, you'd add type parameter it:

$.ajax({     url:      url,     type:     'post',   // <== new bit     datatype: 'json',     data:     data,     success:  callback });

if wanted to, add postjson jquery object, pre-processing arguments , calling $.ajax. copy-and-paste the jquery source, switching .get .post:

if (!jquery.postjson) {     jquery.postjson = function( url, data, callback ) {         return jquery.post(url, data, callback, "json");     }; }

mind you, it's still pretty easy fake post. not easy get, still pretty easy.


Comments

Post a Comment

Popular posts from this blog

android - Spacing between the stars of a rating bar? -

-
ho can set spacing beween stars? thats ratingbar: ratingbar = (ratingbar) inflater.inflate(r.layout.ratingbar, null); ratingbar.setlayoutparams(new layoutparams(layoutparams.wrap_content, layoutparams.wrap_content)); the layout: <?xml version="1.0" encoding="utf-8"?> <ratingbar xmlns:android="http://schemas.android.com/apk/res/android" style="@style/mystyle" android:layout_alignparentright="true" android:layout_height="19dp" android:layout_width="wrap_content" android:numstars="5"> </ratingbar> the style: <style name="mystyle" parent="@android:style/widget.ratingbar"> <item name="android:progressdrawable">@drawable/android_r2_ratingstar_yellow</item> <item name="android:indeterminatedrawable">@drawable/android_r2_ratingstar_grey</item> </style> thanks, cheers you have
Read more

aspxgridview - Devexpress grid - header filter does not work if column is initially hidden -

-
i'm using devexpress grid , i'm trying 'country' column display header filter properly: <dx:gridviewdatacolumn caption="country" fieldname="countryname" showincustomizationform="true" visible="false"> <settings allowheaderfilter="true"/> </dx:gridviewdatacolumn> if 'country' column set visible='true', header filter displayed should(it shows value option list). however, want 'country' column hidden, available in customization window(like in code above). in case, when column dragged outside customization window , grid , header filter clicked, javascript error encountered: element null element.addeventlistener(eventname, func, true); is known bug? there workarounds? set aspxgridview.settings.showheaderfilterbutton property true resolve problem. the following markup works fine me (i using dxperience 10.1.7): <asp:accessdatasource id="accessda
Read more

c# - How to execute a particular part of code asynchronously in a class -

-
i creating speech recognition engine that's going respond user commands.i have created button enable , disable speech recognition per user convenience.i have used dispose() of speech engine disable speech recoginition.here code private void button1_click(object sender, routedeventargs e) { engineon = !engineon; if (engineon) { speechengine = speech.createspeechengine(); //speech class creates , returns new speech engine. speechengine.audiolevelupdated += new eventhandler<audiolevelupdatedeventargs>(speechengine_audiolevelupdated); // use system's default microphone speechengine.setinputtodefaultaudiodevice(); speechengine.loadgrammar(new dictationgrammar()); // start listening speechengine.recognizeasync(recognizemode.multiple); } else { speechclass.myengine.dispose(); } } but disposal of speech obj
Read more