我有点困惑使用哪种方法： 1使用jQuery调用执行订单的HttpHandler页面。 2-使用ICALLBACKEventHandler - 更多 你能给我一些建议关于哪一个更有效地使用。 谢谢

I'm a little bit confused about which method to use : 1- using Jquery to call HttpHandler page that implement an order . 2- using ICALLBACKEventHandler - read more . Can you give me some advise about which one is more efficient to use. Thanks

推荐答案

我建议你到这个链接，以帮助您更好地了解这些选项，然后选择你想要的：

Basic reading

I suggest you this links to help you understand better the options and choose what you want:

为什么ASP.NET AJAX的UpdatePanel是 危险吗？

Why ASP.NET Ajax UpdatePanels are dangerous?

使用jQuery直接调用阿贾克斯 页 方法的。

Using jQuery to directly call Ajax Page Methods.

简化调用ASP.NET AJAX 从服务 jQuery的。

Simplify calling ASP.NET Ajax Services from jQuery.

我preFER使用 jQuery.ajax（），也的 jQuery的模板插件在需要时（加载表格数据来自AJAX调用）。一个轻量级的方法，并与更多的控制权交给开发商。 我不喜欢微软是如何喜欢生成愚蠢codeS，当我们用自己的处理程序的。

I prefer to use jQuery.ajax() and also jQuery Templates Plugin when needed (loading tabular data from AJAX calls). A lightweight approach and with much more control to the developer. I don't like how Microsoft likes generating stupid codes when we use their handlers.

不过没关系，你可以有一些安全问题，你指出的意见。

But it's okay, you could has some security issues as you pointed on comments.

您注意到有关便于操作的引用站点的是有趣的，但此漏洞并不jQuery的排斥。问题是，AJAX的概念本身已经带有几个安全漏洞，该是多年来讨论的已知问题。

Your note about the ease manipulation of the Referer was interesting, but this vulnerability isn't jQuery exclusive. The problem is that the concept of AJAX itself already carries several security holes, which are known problems discussed over the years.

要注意，使用 ICallbackEventHandler 的不是解决办法的，因为它只是另一种方式来产生AJAX请求没有你不必很重要输入。但是，如果异步请求存在，它总是可以被拦截，在某种程度上，就像一个 $。阿贾克斯（）可以。

It's important to observe that using ICallbackEventHandler isn't a solution, since it's only yet another way to generate AJAX requests without you having to type it. But if the asynchronous request exists, it always can be intercepted in some way, like a $.ajax() could be.

最后，你已经给了一个差不多的回答：这是更好地工作，通过安全令牌作为参数的。如果您的工作与母版，该令牌生成一个 HiddenField 将被抽象为一个单一的code。您还可以与负责制定AJAX与此令牌作为参数调用JavaScript函数封装。一切都是软件体系结构的问题而已。

Finally, you already gave an "almost" answer: it's better to work passing security tokens as a parameter. If you works with MasterPage, the token generation in a HiddenField will be abstracted to a single code. And you can encapsulate with a JavaScript function responsible for making AJAX calls with this token as parameter. Everything is just a matter of software architecture.

我把它叫做一个差不多的答案，因为没有什么是完全安全的，并的安全令牌还可以砍死。是的，它更硬并不多见，但99％是从来没有100％。

I called it an "almost" answer because nothing is fully secure and security tokens can also be hacked. Yes, it's much more hard and rare, but 99% is never 100%.

您用 ICallbackEventHandler 第二个选项可能有很多的安全问题，以及你与 $第一个选项。阿贾克斯（），因为处理程序将产生一些code类似于任何code，你会打字。最后，你的选择必须是口味的问题。但记得阅读并采取有关安全要求的途径的几点思考在这两种情况下。

Your second option with ICallbackEventHandler could have many security issues as well as your first option with $.ajax(), since a handler will generate some code similar to any code that you would type. In the end, your choice must be a matter of taste. But remember to read and take the required approachs about security on both cases.