Questions about legality

Question

I am a novice, and a security issue suddenly occurred to me when I was writing code today.

For various ajax requests, can hackers submit code externally? Because the JS file browser can see it, that is, it can know your code. So if a hacker uses our domain name to submit it externally, can PHP determine whether it is legal? For example, determine whether our own files were submitted?

For example, my js file has a code section

$('input').click(function(){
    $.post('index.php',{a:xx,b:xx},function(a){
        xxxxx
    })
})
那么如果黑客通过外部提交
xxxxxxxxxxx
$('input').click(function(){
xxxxxx
    $.post('http://www.xxxx.com/index.php',{a:xx,b:xx},function(a){
        xxxxx
    })
xxxxxx
})
xxxxxxxxxxx

How to write it in PHP to prevent it?

Answer 1

Do you know more about CSRF?

Answer 2

External submissions are normal and injection needs to be prevented through procedures.

Answer 3

According to what you said, the data submitted by external ajax simulation is cross-domain.

You have multiple ways to deal with this. For example:

1. You can set access permissions. For example, only logged-in members can view it or limit the domain name. This will make it difficult for others to crawl. But this obstacle can always be overcome.

2. Use session to generate a token. Verify the session after submission. If it is legal, log out the session immediately to ensure that there is a new token every time.

3. Analyze access logs and restrict suspicious IP access from the server level.

4. Record the operation density of each IP. If it is more frequent, you can ask for verification codes from time to time.

...

There are many methods, but no one is the best. It is recommended to take a multi-pronged approach. Hope to adopt~