在PHP端,有一個白名單,如:
if(!in_array($_POST['field'],array(
'every','field','this','user','is','allowed','to','edit'
))){
die("you do not have access to modify field ".htmlentities($_POST['field'],ENT_SUBSTITUTE));
}
$st=$db->prepare("UPDATE table SET ".$_POST['field']." = ?");
$st->execute(array($_POST['newData']));
和js方:
var xhr=new XMLHttpRequest();
xhr.open("POST","?");
var fd=new FormData();
fd.set("newData","foobar");
fd.set("field","allowed");
xhr.send(fd);//no problem! "allowed" is in the whitelist!
fd.set("field","password");
xhr.send(fd);//error! you do not have access to modify field "password"!
使用白名單?不確定你在問什麼。 – jeroen 2015-03-13 18:21:04
根據登錄用戶驗證傳入數據。 – ceejayoz 2015-03-13 20:21:34