Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p><strong>In general..</strong></p> <blockquote> <p>Anything at the client side is insecure. Therefore, any script may be called from anybody at any time using any set of parameters.</p> </blockquote> <p><strong>Protecting specific script</strong></p> <p>Therefore, we need to <strong>prepare something at the server-side</strong>, that verifies something as valid at a later point of time.</p> <p>Let's call it a <strong>security-token</strong>. A security-toke needs to be <strong>sufficiently long and random</strong> string. The security-token need to be <strong>non predictable</strong>. In this case, only the server-side application can be the source of this token.</p> <p>Save this security-token to the user's session and pass it along to the client. Associate the security-toke with the script call to be protected. Your session might have this property:</p> <pre><code>$_SERVER[ 'sys$securityTokens' ] = array( 'AHSsd67sdSJDH/D6wehsd' =&gt; array( 'script' =&gt; 'sensibleScript.php', 'params' =&gt; array( 'kid' =&gt; 3, 'var5' =&gt; 12 ) ), 'KSD87sd78sdsfk(DDF/sd' =&gt; array( 'script' =&gt; 'someOhterSensibleScript.php', 'params' =&gt; array( 'value' =&gt; 'welcome!' ) ) ); </code></pre> <p>Note, that this structure <strong>associates security-tokes with script-names and valid parameters</strong> to be called later on.</p> <p>If client needs to call the script using JavaScript, it passes the security-token back to the server.</p> <p><strong>At the server side...</strong></p> <p>If a sensible script request comes in and the correct security-token is part of the request, remove the security-token from the session and execute the script.</p> <p>If a sensible script request comes with no security-token, reject the request.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload