How to get data from JS to PHP without POST-CodePudding

I am trying to get a variable from JavaScript to PHP but I heard that this is not secure because people can use softwares to change the POST data. What can I do to pass JavaScript variable into PHP securely? Do I use Sessions? Cookies?

Thank you

CodePudding user response：

The mechanism used to send data from the client to the server is irrelevant. POST or otherwise, the risks are the same.

There are two classes of people you might care about changing data being sent from the browser to the server.

Third parties

e.g. A man in the middle attack intercepting the data and rewriting it. The defence against this is to use HTTPS and not plain HTTP.

The user of the browser

As far as web developers should be concerned, the user and the browser are one.

The browser is a piece of software completely under the control of the user.

If the user wants to change the data that their browser is sending to the server, then they can. There is nothing you can do about that.

You mentioned sessions.

A session can store data on the server, and then have it be retrieved in a subsequent request.

This allows you to prevent the user from changing data that originates on the server.

There is nothing you can do to stop them changing data that originates on the client.

CodePudding user response：

HTTPS

As noted in another answer, HTTPS is the key to protecting against something between the user's computer and the server.

Server Side Validation

The protection against a user doing something bad (whether annoying, stupid or truly malicious) is server side validation. For example, if a value can be 1, 2 or 3, you may include a check in Javascript before submitting the POST to the server to make sure that the user entered 1, 2 or 3 and didn't leave the field blank and didn't enter 0 or 4 or anything else. But since the user controls their browser, they could disable or bypass or modify the Javascript to send some other value. Every field that has any constraints (length, required, alpha vs. numeric, special characters required or prohibited, etc.) must have those constraints verified by the server. Relying on client (Javascript) validation is simply not enough.