s0c0 Posted August 21, 2007 Share Posted August 21, 2007 I'd like to get a little insight on how which of the following two is the best method, looking from both the aspects of simplicity and security. I've just completed work on my second Ajax project and set up my calls like so. Page: something.php User event triggers a JavaScript function. This function builds a URL string with some data, and makes an HTTP GET request to something.php. The URL string might look something like this: something.php?function=doSomething&value=1. At the very top of the page, something.php, there is session control that will redirect a user if they do not have a valid session. After this there is a switch statement that looks something like this: if($_GET[function]) { switch($_GET[function]) { case 'doSomething': echo somePHPFunction($_GET[value]); break; case 'dontDoIt: echo someOtherPHPFunction($_GET[value]); break; } return; } I think this is pretty secure. Since the no one can pass anything into the page without having a valid session, it seems very simple as each time you create a new JavaScript function that will be doing a request you just add another case to your switch statement, and its low on bandwidth as one it hits that case, it returns, and no further parsing of that particular page is done. It also centralizes code into a single page. Are there any downsides to doing it this, ie, is having an external page better? Quote Link to comment Share on other sites More sharing options...
deadimp Posted August 22, 2007 Share Posted August 22, 2007 Yeah, that's essentially how I've doing it. Your point on security is correct, in that it can filter out (ie. not respond) to any undefined functions / actions. As for where I store this, I actually switch between writing the Ajax response in the main script that requests it (by putting the variable 'ajax' in GET) and having a separate page. As to whether which style is better I can't really decide yet. Having the Ajax right next to everything else in the same file makes it easy to change the functionality, but it sometimes becomes cluttered. Having the Ajax response handled in an external file is good if you want to avoid clutter, but you have to be sure to maintain that file and others for that, uh, module. Quote Link to comment Share on other sites More sharing options...
s0c0 Posted August 22, 2007 Author Share Posted August 22, 2007 Much easier to secure ajax on an intranet, now on the internet, thats when you have to really be careful. Thanks for your comments, anyone else have input on this? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.