问题
I am using this JQuery Ajax Voting system guide as a rough reference but I am a little troubled at the security of this. Right now this guide basically stores the ID of something and the vote statistics for it.
I'd like to go off a similar idea but I need to include the userID as well so a user can only vote once. This is stored in a PHP session variable and I was wondering if the ajax page that gets called will have access to that session or not. If not, what is a safe way of passing in the parameter so it can't be hijacked by a man in the middle attack or faked.
回答1:
The server will have access to the session data through the AJAX call as long as you do session_start(); at the top of your script. You should also make sure you sanitize your data, as I see that tutorial is doing queries without passing the data through mysql_real_escape_string. You should also do UNIQUE KEY(user_id, id) on the votes table to ensure there's no dupes.
回答2:
You should be able to pull the same Session variable from the handler that actually stores the user vote.
As a basic security measure you could encrpyt the UserId on the page with the voting before the AJAX call and decrypt the UserId when doing the insert if it's not available in the session.
来源:https://stackoverflow.com/questions/860895/jquery-ajax-voting