views:

108

answers:

1

I was wondering how to develop a secure form post through AJAX.

For example, i have:

My HTML form.

My JavaScript handling the submit.

The submit url is "post_data.php"

The posted data is:

id=8&name=Denis

The PHP verifies if variables id and name are POSTED and their data type. If this is ok it proceed to do some stuff on a database.

My question is, how can i prevent someone from creating his own html form, outside my web site, or whatever, and posting false data to my PHP script?

Imagine that data realy exists on my database, this could be bad.

Thanks

+3  A: 

One very common way to do this is to have a token of some kind included in a <hidden> field on your form, and the same one saved in a session variable (or somewhere else) on your server. When the post is submitted, you check that the token is valid.

Someone else could still forge a token, but they can't (in any easy way, at least) force you to save the same token on your server, so no other form than your own will be accepted.

This is, for example, how the built-in support for this in ASP.NET MVC works.

Tomas Lycken