如何跟踪网络应用程序上的字段

发布于 12-07 03:30 字数 386 浏览 0 评论 0原文

以 Facebook 的回复状态为例。当您回复某人的状态时,脚本是否会在该状态的 DOM 中查找该状态的 ID,并发送 Ajax 来更新具有该 ID 的条目?

如果是这样的话,你不能只修改ID并污染数据

吗?作为后续,我看到了一个客户端 MVC 实现 Backbone.js,它可以管理类似上面的内容,而不使用任何 ID,但我仍然不知道如何管理。

http://documentcloud.github.com/backbone/docs/backbone.html

这是源码,相关代码'view'从最后1/4开始

Take Facebook's reply-to-status as an example. When you replies to someone's status, does the script looks into the DOM of that status for the ID of that status, and send an Ajax to update the entry with that ID?

If that's the case, couldn't you just modify the ID and pollute the data

P.S. as a followup, I've seen a client-side MVC implementation, Backbone.js, that manage things like the above w/o the use of any ID, which I still haven't figured out how.

http://documentcloud.github.com/backbone/docs/backbone.html

Here is the source, the relevant code 'view' starts at last 1/4

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

赠我空喜2024-12-14 03:30:29

它仍然会验证它是否是服务器端的有效 ID、您是否有权跟踪该用户的状态等。

It will still verify that it's a valid id on the server side, that you have permissions to follow up to that user's statuses, etc.

日裸衫吸2024-12-14 03:30:29

是的,您可以,但请记住,这也是基于会话/好友列表/权限的。

服务器上仍然涉及“用户 A 是否有权对用户 B 的操作发表评论”的检查。假设您输入虚假 ID,仍需要验证您是否可以在(欺骗性)ID 上发布。

如果可以的话,您刚刚就一个完全独立的主题发表了一篇文章,该主题现在可能已经脱离了上下文。
如果你不能,帖子就不会通过,不用担心。

归根结底,用户界面是一种“方便”的检查。除了温和地引导用户走上正确的路径之外,验证并没有真正的完整性。服务器是真正的保护所在,因为每个真正的程序员都知道,用户是不可信的

Yes you can, but keep in mind it's all session/friends list/permissions based too.

There are still checks involved on the server regarding "does user A have access to making a comment on user B's action". Assuming you type a bogus ID, it still needs to be verified you can post on the (spoofed) ID.

If you can, you just made a post on a completely separate topic which is now presumably out of context.
If you can't the post doesn't go through and no worries.

What it comes down to is that the UI is a "convenience" check. There's not real integrity to validating other than gently guiding the user to travel the correct path. The server is where the real protection is because, as every real programmer knows, the user can not be trusted.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文