我已經爲管理員編寫了PHP和javascript的組合,以無縫地給用戶提供沒有頁面重新加載的點數。這是我第一次真正使用Ajax,所以我想提一些關於改進代碼的提示。我怎樣才能讓它更安全/更高效?順便說一句,這段代碼在html源代碼中是可見的。我該如何改進這個Ajax腳本?
P.S:如果有關於這類事情的最佳實踐,請讓我知道併發布您對該主題的任何鏈接。
// First pass: add the points
function addBonus()
{
document.getElementById('response').innerHTML = '<img src=images/loading2.gif></img>'; // Show that process is taking place
var xmlHttp = getXMLHttp();
xmlHttp.onreadystatechange = function()
{
if(xmlHttp.readyState == 4)
{
verifyPoints(); // Check if points have actually been given
}
}
// Generated by templating system
// Triggers call to PHP page that gives bonus points to user
var url="page.php?id=2&a=bonus";
xmlHttp.open("GET", url, true);
xmlHttp.send(null);
}
// Second pass: check the points have been given
function verifyPoints(){
var xmlHttp = getXMLHttp();
xmlHttp.onreadystatechange = function()
{
if(xmlHttp.readyState == 4)
{
HandleResponse(xmlHttp.responseText);
}
}
url="GetPoints.php?i=2"; // Generated by templating system
xmlHttp.open("GET", url, true);
xmlHttp.send(null);
}
function HandleResponse(response)
{
var oldPoints = parseInt(document.getElementById('numPoints').innerHTML);
var currentPoints = parseInt(response);
if(currentPoints == (oldPoints + 150)){
document.getElementById('response').innerHTML = '<img src=images/tick.png></img>'; // Bonus points added: show tick icon
} else {
document.getElementById('response').innerHTML = '<img src=images/cross.png></img>'; // Bonus points not added: show red cross icon
}
document.getElementById('numPoints').innerHTML = currentPoints; // Update points display
}
偉大的回答邁克。很多信息讓我繼續。目前page.php不檢查管理員是否給予獎金。我可以傳遞一個ID或將頁面放入一個模板並在那裏進行檢查。您正確地使用POST而不是GET。以下是有關跨網站攻擊的良好鏈接:http://shiflett.org/articles/foiling-cross-site-attacks – 2011-04-10 19:21:43