jsGrid:如何使用 ajax 将其他变量从 javascript 传递到 php
jsGrid: How to pass additional variables from javascript to php using ajax
I'm using jsGrid for my project. View here for original source code
我想传递一个额外的变量调用 $user_session 以用于 fetch.php 中的 mysql select 查询但失败了。以下是我一直在尝试的。
<script>
var user_session = "<?php echo $user_session; ?>"; //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
//......
controller: {
loadData: function(){
return $.ajax({
type: "GET",
url: "fetch_data.php",
data: {user_session:user_session} //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
});
},
//......
这是 fetch.php 文件
<?php
if($method == 'GET')
{
$user_session = $_GET['user_session']; //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
$statement = $connect->prepare($query);
$statement->execute($user_session); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$result = $statement->fetchAll();
foreach($result as $row)
{
$output[] = array(
'id' => $row['id'],
'first_name' => $row['first_name'],
'last_name' => $row['last_name'],
'age' => $row['age'],
'gender' => $row['gender']
);
}
header("Content-Type: application/json");
echo json_encode($output);
}
//......
?>
执行此操作的正确方法是什么?
首先,任何人都可以在浏览器中打开开发控制台并开始模糊测试您的会话 ID。当您正确地准备您的查询,化解 sql 注入时,它并不能保护您免受 IDOR,或者,我可以通过重复查询您的应用程序来枚举您的用户。
如果您真的想在客户端传递您的会话 ID,也许您可以考虑使用 cookie,因为它不太容易被普通用户编辑。
我可以通过这种方式做到。
<script>
//......
controller: {
loadData: function(filter){
var user_session = "<?php echo $user_session; ?>"; //<<<<<<<<<<<<<<<<<<<<<<<<<<<
return $.ajax({
type: "GET",
url: "fetch_data.php",
data: {filter,
user_session:user_session //<<<<<<<<<<<<<<<<<<<<<<<<<<<
},
});
},
//......
</script>
在 fetch.php 我这样做了。
<?php
if($method == 'GET')
{
$user_session = $_GET['user_session'];//<<<<<<<<<<<<<<<<<<<<<<<<<<<
$query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
$statement = $connect->prepare($query);
$statement->execute([$user_session]); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
$result = $statement->fetchAll();
foreach($result as $row)
{
$output[] = array(
'id' => $row['id'],
'first_name' => $row['first_name'],
'last_name' => $row['last_name'],
'age' => $row['age'],
'gender' => $row['gender']
);
}
header("Content-Type: application/json");
echo json_encode($output);
}
//......
?>
@Andrea Golin提到的安全问题,我再post再问一个问题。
谢谢。
终于找到更好的方法了
我可以在fetch.php.
里面直接调用$user_session
<?php
require('user_session.php'); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
require('includes/db.php');
$method = $_SERVER['REQUEST_METHOD'];
if($method == 'GET')
{
$query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
$statement = $conn->prepare($query);
$statement->execute([$user_session]); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
$result = $statement->fetchAll();
foreach($result as $row)
{
$output[] = array(
'ChildID' => $row['ChildID'],
'Name' => $row['Name'],
'BirthDate' => $row['BirthDate'],
'Gender' => $row['Gender'],
'StudyorWorking' => $row['StudyorWorking'],
'CourseorOccupation' => $row['CourseorOccupation'],
'Married' => $row['Married']
);
}
header("Content-Type: application/json");
echo json_encode($output);
}
?>
I'm using jsGrid for my project. View here for original source code
我想传递一个额外的变量调用 $user_session 以用于 fetch.php 中的 mysql select 查询但失败了。以下是我一直在尝试的。
<script>
var user_session = "<?php echo $user_session; ?>"; //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
//......
controller: {
loadData: function(){
return $.ajax({
type: "GET",
url: "fetch_data.php",
data: {user_session:user_session} //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
});
},
//......
这是 fetch.php 文件
<?php
if($method == 'GET')
{
$user_session = $_GET['user_session']; //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
$statement = $connect->prepare($query);
$statement->execute($user_session); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$result = $statement->fetchAll();
foreach($result as $row)
{
$output[] = array(
'id' => $row['id'],
'first_name' => $row['first_name'],
'last_name' => $row['last_name'],
'age' => $row['age'],
'gender' => $row['gender']
);
}
header("Content-Type: application/json");
echo json_encode($output);
}
//......
?>
执行此操作的正确方法是什么?
首先,任何人都可以在浏览器中打开开发控制台并开始模糊测试您的会话 ID。当您正确地准备您的查询,化解 sql 注入时,它并不能保护您免受 IDOR,或者,我可以通过重复查询您的应用程序来枚举您的用户。
如果您真的想在客户端传递您的会话 ID,也许您可以考虑使用 cookie,因为它不太容易被普通用户编辑。
我可以通过这种方式做到。
<script>
//......
controller: {
loadData: function(filter){
var user_session = "<?php echo $user_session; ?>"; //<<<<<<<<<<<<<<<<<<<<<<<<<<<
return $.ajax({
type: "GET",
url: "fetch_data.php",
data: {filter,
user_session:user_session //<<<<<<<<<<<<<<<<<<<<<<<<<<<
},
});
},
//......
</script>
在 fetch.php 我这样做了。
<?php
if($method == 'GET')
{
$user_session = $_GET['user_session'];//<<<<<<<<<<<<<<<<<<<<<<<<<<<
$query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
$statement = $connect->prepare($query);
$statement->execute([$user_session]); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
$result = $statement->fetchAll();
foreach($result as $row)
{
$output[] = array(
'id' => $row['id'],
'first_name' => $row['first_name'],
'last_name' => $row['last_name'],
'age' => $row['age'],
'gender' => $row['gender']
);
}
header("Content-Type: application/json");
echo json_encode($output);
}
//......
?>
@Andrea Golin提到的安全问题,我再post再问一个问题。
谢谢。
终于找到更好的方法了
我可以在fetch.php.
<?php
require('user_session.php'); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
require('includes/db.php');
$method = $_SERVER['REQUEST_METHOD'];
if($method == 'GET')
{
$query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
$statement = $conn->prepare($query);
$statement->execute([$user_session]); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
$result = $statement->fetchAll();
foreach($result as $row)
{
$output[] = array(
'ChildID' => $row['ChildID'],
'Name' => $row['Name'],
'BirthDate' => $row['BirthDate'],
'Gender' => $row['Gender'],
'StudyorWorking' => $row['StudyorWorking'],
'CourseorOccupation' => $row['CourseorOccupation'],
'Married' => $row['Married']
);
}
header("Content-Type: application/json");
echo json_encode($output);
}
?>