问题描述

我是新来使用AJAX，我只是跟着教程来获取我的数据库使用AJAX和页面上输出它的一些信息。有一条线在那里我调用PHP脚本是数据库查询时，结果是呼应的。我有点担心，因为文件名是在前端可见，它的唯一目的是直接输出数据库的结果，它可能present一个安全问题。有没有什么办法来保护文件，并确保它只能运行查询时通过AJAX脚本调用？

I'm new to using AJAX, and I just followed a tutorial to retrieve some info from my database using AJAX and outputting it on the page. There's a line where I call a php script which is where the database query is made, and the result is echoed out. I'm a little concerned that since the filename is visible on the frontend, and it's only purpose is to directly output database results, it might present a security issue. Is there any way to protect that file, and make sure it only runs the query when called via the ajax script?

下面是阿贾克斯code有问题的位（注意是somefile.php行）：

Here's the bit of ajax code in question (note the "somefile.php" line):

ajaxRequest.onreadystatechange = function(){
    if(ajaxRequest.readyState == 4){
        var ajaxResponse = ajaxRequest.responseText;
        element.innerHTML = '<h2>' + ajaxResponse + '</h2>';
    }
}
ajaxRequest.open("GET", "somefile.php", true);
ajaxRequest.send(null);

感谢您的任何答案。

Thanks for any answers.

推荐答案

把你的PHP code此检查中：

Put your PHP code within this check:

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')
    {
    /* Your code here */
    }

所有的Ajax请求，确实有这个报头组。由于所有heasers这其中也可能是伪造的，以便始终不相信任何来自客户端，过滤器/白名单传入的请求参数，并使用prepared陈述照顾你的数据库。

All ajax requests do have this header set. As all heasers this one too might be forged, so as always don't trust anything coming from the client, filter/whitelist the incoming request parameters and take care of your database using prepared statements.

这篇关于如何保护ajaxRequest.open PHP脚本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！