{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 【Aperson】 的问题《Security of ajax vs regular form data》','https://www.manongdao.com/q-793874.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Just wondering on the difference in security of
<input type="hidden" name="id" value="<?php echo $id; ?>">
vs.
jQuery(this).ajaxSubmit({
data: { id: '<?php echo $id; ?> }
});
when sending form data. Is one method more vulnerable to hacking than the other? What is the best way to securely send form data so outsiders can't tamper with or change the id number?
Form vs AJAX doesn't make a difference. What makes a difference is if you're using GET or POST and if you're using HTTPS or HTTP.
If you don't want your data tampered with, you should use HTTPS and POST instead of GET or non-encrypted HTTP POST. See this for a comparison of GET vs POST. Get will create a querystring, which is part of the URL, that has the data in it and the URL is visible to sniffers even if you're using HTTPS.
If you use POST, the posted message contains your data so sniffing will only see the URL, which won't reveal the ID, but they won't be able to see the ID being posted to the server so they can't temper with it.
There is no difference in the security. In both cases, an HTTP POST request is sent to the server and a response is received from the server. Aside from perhaps some headers in the request, the server doesn't even really know or care what the difference is between the two.
To illustrate, take a look at the Network requests in your browser debugging tools (Firebug or Chrome tools) when submitting a regular form POST and an AJAX POST. The two are very close to identical, save for the browser maybe adding another header or two for the AJAX one.
There isn't. Any savvy user can manually craft an HTTP POST request to include any data they want. Browsers these days even have handy tools to help with this for development and debugging purposes. The general rule is for the server-side code to never implicitly trust requests sent from a client. Always validate that the user has access to do what they're trying to do, that the data isn't malicious or is otherwise properly sanitized before using it (particularly in database queries as a common example), and so on.
Essentially there is no difference from a security standpoint. In both circumstances it is trivial for someone to see the id, and in both circumstances it is trivial for someone to construct their own request to your API.
The way to make your forms secure is to make sure that everything is always validated on the server. While adding things like form validation on the client side can make for a better user experience, it isn't security. You should always assume that your server can receive invalid and malicious data in requests and take that into account.