我用这 JQuery的阿贾克斯表决系统指南作为一个粗略的参考，但我在这个安全性的小烦恼。眼下本指南主要存储的东西的ID，并为其投票的统计信息。

I am using this JQuery Ajax Voting system guide as a rough reference but I am a little troubled at the security of this. Right now this guide basically stores the ID of something and the vote statistics for it.

我想去过类似的想法，但我需要包括用户ID，以及使用户只能投票一次。它被保存在一个PHP会话变量，我想知道，如果AJAX页面被调用将有机会获得该会话与否。如果不是，是通过在参数，因此它不能被一个中间人攻击劫持或伪造的安全方式。

I'd like to go off a similar idea but I need to include the userID as well so a user can only vote once. This is stored in a PHP session variable and I was wondering if the ajax page that gets called will have access to that session or not. If not, what is a safe way of passing in the parameter so it can't be hijacked by a man in the middle attack or faked.

推荐答案

服务器将通过AJAX调用访问会话数据，只要你做的 在session_start（）; 在脚本的顶部。你还应该确保你净化你的数据，因为我看到的教程是做查询，而不通过的 mysql_real_escape_string 。你也应该做 唯一键（US​​ER_ID， ID） 的投票表格，以确保有没有愚弄。

The server will have access to the session data through the AJAX call as long as you do session_start(); at the top of your script. You should also make sure you sanitize your data, as I see that tutorial is doing queries without passing the data through mysql_real_escape_string. You should also do UNIQUE KEY(user_id, id) on the votes table to ensure there's no dupes.