这是一个问题，至今已经困扰我一段时间，所以我要寻找的意见和解决方案，以取缔的应用程序是一个安全隐患的可能性。

This is a question has has been bother me for a while, so I am looking for opinions and solutions to clamp down on the possibility of the app being a security risk.

我使用jQuery的很多事情，但主要是我用它来处理jQuery的对话窗口。很多时候，有必要抓住从窗体上的一个字段中的值，并置这些信息与一个.serialize（）命令将其传递给jQuery的Ajax调用头部到PHP文件进行数据库交互。

I use jQuery for lots of things, but mainly I use it for processing jQuery dialog windows. A lot of times there is the need to grab a value from a field on the form, concatenate that information with a .serialize() command and pass it off to jQuery ajax call to head over to PHP files for database interaction.

下面我的问题是（最终），

Here comes my question (finally),

是不是riduclasly容易'猜'的URL可能看起来像在PHP处理？ 您可以打开在一个现代的浏览器的源代码，然后点击链接来看看包含Ajax调用完整的JavaScript文件。

Isn't it riduclasly easy to 'guess' what the url could look like for the PHP processing? You can open the source in a modern browser and click a link to look at the full JavaScript file containing the ajax call.

我可能缩小JavaScript文件进行模糊处理，但是这不是安全的形式来依靠APON。

I could possibly Minify the JavaScript file for obfuscation, but that's not a form of security to be relied apon.

我使用PDP的数据库，其中$ p $访问ppared的SQL注入攻击语句，但如果有人走上时间看，不能他们只是形成一个有效的URL把它送上了数据库，并插入他们想要什么？

I am using PDP for databases access with prepared statements for SQL injection attacks, but if someone took to the time to look, couldn't they just form a valid url send it off to the database and insert what they want?

我说的不是数据库的黑客钢的信息，我更多的谈论，就好像数据是从应用程序本身，使得插入恶意信息。想想添加一些您的购物车是只有$ 25 $ 50元。

I am not talking about hacking the database to steel information, I am more talking about inserting malicious information as though the data was added from the application itself. Think adding something to your shopping cart that is $50 for only $25.

如果只是简单，只要打开AJAX请求，从中获取到POST和改变我的PHP文件？

If it just as simple as turning the ajax request from GET to POST and changing my PHP files?

编辑：该人登录并正确验证

只是想知道其他人在那里做什么。

Just wondering what other people out there do.

谢谢！

推荐答案

您是完全正确的，谁是稍微精通技术可识别公共服务器端点的任何Web应用程序。他们甚至不需要看code。他们可以利用自己的WebKit /萤火跟踪请求，或者像查尔斯一个程序，监视网络活动。

You are quite correct, anyone who is slightly tech savvy can identify the public server endpoints for any webapp. They don't even need to look at the code. They can just use their webkit/firebug to track the request, or a program like Charles which monitors network activity.

这就是为什么你需要的验证和许可处理在服务器端code。

That's why you need authentication and authorization handling in your server side code.

验证通常是通过用户名和密码办理;这是验证用户的行为是他是谁。

Authentication is typically handled by a username and password; it is the act of verifying a user is who he is.

授权可以通过在服务器上的角色进行处理，是检查，以确保用户可以做他们正在做的事情。

Authorization can be handled by Roles on the server, and is the check to make sure the user can do what they are trying to do.

在哪个地方这两种机制，即使用户知道一个网址，他们仍然需要登录，并有权做他们想做的事情。

Which those two mechanisms in place, even if a user knows a url, they still need to "log-in" and have permission to do what they want to do.

想想吧。如果你看一下您的银行帐户信息网上，你可以轻松地识别加载你的帐户信息的请求。如果没有这些机制，什么是prevent你只是改变了帐户ID传递给服务器，以尝试并获得别人的账户信息？通过认证/授权，服务器知道，即使它会请求装载一些数据，它可以检查用户的详细信息，看看他们是否有权获得这些数据，并拒绝该请求。

Think about it. If you look at your bank account information online, you can easily identify the requests that load your account info. Without these mechanisms, what is to prevent you from simply changed the account-id you pass to the server to try and get someone else's account info? With authentication/authorization, the server knows that even if it gets a request to load some data, it can check the user's details to see if they have permission to get that data, and deny the request.