i am implementing a PHP application, i am using AJAX heavily in forms to send and retrieve values. the typical jQuery function i am implementing is
我正在实现一个PHP应用程序,我在表单中大量使用AJAX来发送和检索值。我正在实现的典型jQuery函数是
(function($){
$.fn.saveCountry = function(destinationUrl) {
this.click(function(){
var formData = $('form').serialize();
$.ajax({
type: 'POST',
url: 'path/to/files/models/directory/process.php',
data: 'option=savecountry&'+formData,
success: function(msg){
if(msg === 'empty') {
alert('Required Values Missing');
} else if(msg == 'DR'){
alert('Duplicate Entry Found');
} else {
destinationUrl(msg);
}
}
});
});
}
}($));
the problem with the above function is it exposes the application structure of my application for example. the object url: 'path/to/files/models/directory/process.php', reveals the information about the directory structure i am using. this is a kind of threat as anyone with the access to console will be able to monitor what is happening with the request and could misuse it. is there anyway i could hide this data from the outside world?
上述函数的问题是它暴露了我的应用程序的应用程序结构。对象url:'path / to / files / models / directory / process.php',显示有关我正在使用的目录结构的信息。这是一种威胁,因为任何有权访问控制台的人都能够监视请求发生的事情,并可能滥用它。无论如何我可以隐藏外部世界的这些数据吗?
thank you.
谢谢。
3 个解决方案
#1
3
Ultimately no.
最终没有。
The user will always be able to find out the URL of the ajax request if they wish to.
如果愿意,用户将始终能够找到ajax请求的URL。
It can be as simple as opening up firebug and watching the requests that are made.
它可以像打开萤火虫和观察所提出的请求一样简单。
What I'd sugest is some kind of URL abstration such as URL Rewriting in order to hide the physical structure of your file system. This way you'll not have that specific concern about people seeing your URLs.
我想要的是某种URL重写,例如URL重写,以隐藏文件系统的物理结构。这样,您就不会对人们看到您的网址感到特别关注。
#2
2
I'm not a PHP programmer (touched it many years ago), so I'll give you a general answer.
我不是一个PHP程序员(很多年前就碰过它),所以我会给你一个通用的答案。
Simply create a proxy page, which hides the internal workings of your application. The proxy page is just a go in between the browser and the application itself. What it does is translating an ID that you pass along with the AJAX call to a function in the application (it could do more than that, but I try to keep this simple). It passes along the data you submitted in your AJax call. The proxy would send back any data passed back from the function to the browser.
只需创建一个代理页面,它隐藏了应用程序的内部工作方式。代理页面只是浏览器和应用程序本身之间的一个介入。它的作用是将你传递的ID与AJAX调用一起转换为应用程序中的一个函数(它可以做更多的事情,但我试着保持这个简单)。它传递您在AJax调用中提交的数据。代理会将从函数传回的任何数据发回给浏览器。
The JavaScript code would look pretty much the same as the code you already have. The only changes would be that the url would be the URL of your proxy page and the data would also contain an ID with the value that corresponds to the value of the function that you wish to execute in the proxy.
JavaScript代码看起来与您已有的代码几乎相同。唯一的变化是url将是您的代理页面的URL,并且数据还将包含一个ID,其值对应于您希望在代理中执行的函数的值。
All your AJAX calls can be routed through this proxy page, since each function would have an unique ID.
您可以通过此代理页面路由所有AJAX调用,因为每个函数都有唯一的ID。
It's a bit programming upfront, but when you've done this once, you can reuse parts of the code in future projects.
这是预先编程的一点,但是当你完成这一步时,你可以在将来的项目中重用部分代码。
#3
0
No. You need to write your server-side code in a way that arbitrary requests won't cause any problems.
不需要。您需要以任意请求不会导致任何问题的方式编写服务器端代码。
#1
3
Ultimately no.
最终没有。
The user will always be able to find out the URL of the ajax request if they wish to.
如果愿意,用户将始终能够找到ajax请求的URL。
It can be as simple as opening up firebug and watching the requests that are made.
它可以像打开萤火虫和观察所提出的请求一样简单。
What I'd sugest is some kind of URL abstration such as URL Rewriting in order to hide the physical structure of your file system. This way you'll not have that specific concern about people seeing your URLs.
我想要的是某种URL重写,例如URL重写,以隐藏文件系统的物理结构。这样,您就不会对人们看到您的网址感到特别关注。
#2
2
I'm not a PHP programmer (touched it many years ago), so I'll give you a general answer.
我不是一个PHP程序员(很多年前就碰过它),所以我会给你一个通用的答案。
Simply create a proxy page, which hides the internal workings of your application. The proxy page is just a go in between the browser and the application itself. What it does is translating an ID that you pass along with the AJAX call to a function in the application (it could do more than that, but I try to keep this simple). It passes along the data you submitted in your AJax call. The proxy would send back any data passed back from the function to the browser.
只需创建一个代理页面,它隐藏了应用程序的内部工作方式。代理页面只是浏览器和应用程序本身之间的一个介入。它的作用是将你传递的ID与AJAX调用一起转换为应用程序中的一个函数(它可以做更多的事情,但我试着保持这个简单)。它传递您在AJax调用中提交的数据。代理会将从函数传回的任何数据发回给浏览器。
The JavaScript code would look pretty much the same as the code you already have. The only changes would be that the url would be the URL of your proxy page and the data would also contain an ID with the value that corresponds to the value of the function that you wish to execute in the proxy.
JavaScript代码看起来与您已有的代码几乎相同。唯一的变化是url将是您的代理页面的URL,并且数据还将包含一个ID,其值对应于您希望在代理中执行的函数的值。
All your AJAX calls can be routed through this proxy page, since each function would have an unique ID.
您可以通过此代理页面路由所有AJAX调用,因为每个函数都有唯一的ID。
It's a bit programming upfront, but when you've done this once, you can reuse parts of the code in future projects.
这是预先编程的一点,但是当你完成这一步时,你可以在将来的项目中重用部分代码。
#3
0
No. You need to write your server-side code in a way that arbitrary requests won't cause any problems.
不需要。您需要以任意请求不会导致任何问题的方式编写服务器端代码。