Allow jquery only to load specific pages

Question

Allow jquery only to load specific pages

Sorry, if this has already been asked, I searched Google and could not find the answer.

I'm new to jquery and I wonder how to protect my internal pages from loading by external users?

For example, if my jquery.post or .get calls "delete-post.php", I want jquery to be able to load this page. I don’t want John Doe to understand that he can send data from his own form to delete-post.php and delete anything he wants, or call delete-post.php? Id = whatever_id_he_wants.

Hope this makes sense? As I said, I'm new to jQuery and wondering about security.

+3

jquery php

Reily bourne Jul 22 '10 at 19:24

source share

4 answers

, . Javascript . delete-post.php , , script, - .

0

jordanstephens 22 . '10 19:29

, xhttp/ajax, , . , , , , . ajax.

- , , , IP- , .

- , , .

0

Dima 22 . '10 19:34

( "nonce", , ).

nonce , , , .

( ! , , - CSRF), : http://php.robm.me.uk/

As by no means, NEVER do anything destructive using the GET request. Ever. Cardinal rule. Always use POST. In fact, some also consider it a good practice to never delete anything from the application, only directly from the database - just set the check to “remote” to perform a soft delete instead. But this, of course, is not directly related to this issue. :-)

0

hollsk Jul 22 '10 at 19:37

source share

Sandro · Accepted Answer · 2010-07-22T19:28:25+0000

That you can do, and something that you should do in any case, checks that the user is logged in and has the right to delete the message. You do this on the delete-post.php script by checking the session variables.

The problem here is not jQuery or AJAX, if it was a regular static form, the user can still figure out how to publish delete-post.php on this page anyway.

Hope this helps.

Edit: And welcome to SO. :)

Allow jquery only to load specific pages

More articles: