在过去,当我用jQuery编写HTML时,为了访问特定的PHP页面,我总是这样做:
user.php?Action=1&User=Adrian.....
这将返回纯文本JSON,jQuery将其转换为javascript对象。不过,关于这个方法,我有几个问题。
多谢!
1) It depends on what you're transferring. If you're transferring credit card data via HTTPS, definitely. If you're transferring less sensitive data, maybe not.
2 and 3) Make sure you check your input for SQL injection, just as you would with any $_GET variable. You should really treat it how you would normally treat $_GET data
Whenever I've allowed JSON/crud access, I've always secured the PHP page serving it (user.php) behind session-based access-control rules (role-based or group-based permissions). I then white-list which tables/fields that user/group/role is allowed to access. The level of sophistication depends on the nature of the data that is being served.
For number 2, it depends what you're doing.
If you are doing anything with the 'user.php' file to make any changes to the DB, you would want to use POST rather than GET (this hides the parameters from the URL bar, and is safe if your page is getting crawled/scraped).
To use POST, in your user.php file replace instances of $_GET with $_POST.
In your jQuery Ajax call, make sure parameter "type" is set to "POST"
type: "POST",
GET requests should only ever be for doing anything that gets and displays data from your data model (DB, whatever). POST requests are for making any updates, additions (stricter would be PUT), or deletions (DELETE).
If you want only that specific user to access the user.php script, then you would want check the user's session and make sure it matches with the user trying to access the particular user parameter.