JS based on PHP generated by the JS variable a=1 represents a certain kind of action permissions, so safe?

Source: Internet
Author: User
JS based on PHP generated by the JS variable a=1 represents a certain kind of action permissions, so safe?
such as Ajax request backstage some kind of action, get PHP generated by the JS variable var permission=1;
Then the foreground JS according to this permission to perform some kind of operation.


Reply to discussion (solution)

The problem is not big, if you worry about a problem can add some validation.

JS according to PHP generated by the JS variable a=1 that there is some kind of action permissions, so safe?
such as Ajax request backstage some kind of action, get PHP generated by the JS variable var permission=1;
Then the foreground JS according to this permission to perform some kind of operation.

Ajax
Permissions

...... You do not have a problem, many Web site registration is through the Ajax method to return information to the page.
However, I still suggest that there is a certain kind of action when the permission to do the right to judge, after all, JS authentication in the client, who knows there will be God horse problem it.

Why isn't it safe?
Ajax cannot cross domains, so instructions can only come from your own server
If you don't even trust your server, what's the dead end?

If the page forges a global variable var permission=1;
Then the foreground JS according to this permission to perform some kind of operation.

Is this feasible?

Who faked it?

If the page forges a global variable var permission=1;
Then the foreground JS according to this permission to perform some kind of operation.

Who faked it?

Reference 4 Floor nowphp's reply:
If the page forges a global variable var permission=1;
Then the foreground JS according to this permission to perform some kind of operation.

I have less knowledge, I do not know whether the front-end JS will be rewritten by hackers, such as my var a = ' xx '; Can he change my script code to var a = ' yy '; What, if not, then only the hacker made a page to submit the JS variable

But you mentioned above Ajax can not cross the domain I feel relieved, but in fact I Baidu to a lot of Ajax cross-domain submission of related articles, then ask how is it?

can do so.
But "according to this permission to perform some kind of operation", this also needs to do the authority to judge.

After all, the JS client can be modified.

Encrypt decrypt ...

This is an issue that should be considered in data related to security issues. Almost any time we don't trust the data sent back from the client.

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.