php - Preventing erroneous AJAX Calls by the user -


i have webpage in user awarded x points on clicking button. button sends ajax request(jquery) php file awards points. uses post.

as client side, php file, parameters visible user.

can user automate process making form same fields , sending request ?

how can avoid type of csrf ? session authentication not useful.

you should handle on server-side, if want prevent multi-vote or prevent same people voting several time on same subject. why real votes use authenticated users , never anonymous votes.

by checking request xmlhttprequest (with @shaun hare response code or linked stackoverflow question in questions comments) block of csrf won't prevent repost user, using tools livehttpheaders 'replay' , such. everything coming client side can forged, everything.

edit* if it's not voting system commented, problem teh same, nedd 'something' know if user doing action first time, or if can still action. there's lot of different things available.

you can set token on page, use token in ajax requests, , invalidate token later usage server side. 1 way. problem store these tokens server-side (sessions, caches, etc)

another way check on server side situation still valid situation (for example request asking update 'something' should maybe handle hash/marker/timestamp can verify current server side state.

this generic question, solutions depends on reality of 'performed action'.


Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more