Home > Tutorials > PHP Tutorials

Think of a question: code there is no need to make an AJAX request to judge

Source: Internet
Author: User
Tags csrf attack
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Think of a problem: code there is no need to do Ajax request judgment
Ajax has never been done before whether it is the judgment of the AJAX request.
A new colleague said he had to make a judgment before he noticed this.
I checked a lot of sites like Youku
None of them did the Ajax-acquired judgment.
Is it necessary to make this judgment?
Ajax ? PHP


------Solution--------------------
It's best to do it. The return data requirements for the general Ajax request are higher
------Solution--------------------
Reference :
reference: Best to do, general Ajax request the return data requirements are higher
I think I did the best.
It is no harm not to do so, previously thought that the result of the request is to be presented.

Why do sites like Youku not make this restriction?

Thank you, moderator, Big Brother's answer


What to look at, such as your website supports the ability to publish a message, and this is an AJAX request, and the Get method to pass the parameter. For example: Msg.php?content=test.

So if you do not make the Ajax judgment, at the same time your site is a very fire site (such as Weibo, etc.), then I can malicious attack, under my site to insert an IFRAME, and this iframe point is msg.php?content= I was attacked, So once you visit my site, in case you don't know, in fact your Weibo has updated a message "I was attacked", which is the most common and simplest csrf attack.

Some serious attack infiltration into the banking process, so look at your needs, Ajax I suggest or do judge it, at least also to refer judge it ~
Now some sites this vulnerability is still very serious, two weeks ago I also found a known domestic large web site of this vulnerability, as long as I posted a post in the forum said everyone to see (that address is my own test server URL), then this site will automatically increase the number of votes, Many people do not know how to help me to vote ...

Really suggest, make a judgment ~
------Solution--------------------
The key to the demand, the process is to receive a request, return a result
It is not necessary to judge at this level if a reasonable request is foreseeable (the unreasonable situation has been dealt with at other levels).
If it is not foreseeable whether it is reasonable, then even if not Ajax to make a variety of judgments
For example, form submission, although client-side JavaScript makes a judgment, but still cannot determine whether malicious commit

If the return is for a specific request, such as an API, then you must check the
As for attacks, isn't Ajax a precaution?

Remember a principle: easy to enter difficult to out

    • This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

    Related Keywords:
    how to think of good website name how to think of good password need to make domain private how to make http request no rule to make target need to scan to computer is no longer activated

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    What's Trending
    Top 10 Tags
    datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
    Top 10 Keywords
    microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    Get Started for Free

    • Sales Support

      1 on 1 presale consultation

      Chat Contact Sales

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

      Open a Ticket

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

      Learn More