Like a lot of you guys know that the javascript functions or methods can be ran through browser adress bar. I want to prevent that happening by what kind of concept i should use where user may NOT know what has to go into my functions arguments when it has ran in the adress bar and would NOT work!?
I wanna use a concept just like twitter-follow-button. But if people know specific things(id,date etc) they can hack it thru gaining more followers and stuff. i only want it to be running when it gets clicked.
Using Programs: PHP, jquery, css
so the examples can be based on the followings above.
any help appriciated.
thanks in advance.
You can’t.
You can obfuscate code, but that won’t prevent it being reverse engineered or simply rewritten. It is the HTTP requests that matter, not the JS that makes them.
You need to, on the server, authenticate that the user making the request is allowed to make the request. In that particular instance you can do it by using the session data for the currently logged in user to determine which user becomes the follower.
You should also implement CSRF protection so that another site can’t forward users to your site.
You can’t trivially stop Malory from giving Alice some JavaScript to put in the address bar which will make the requests. That’s a social engineering attack. Browsers are implementing protection against it now though (e.g. blocking javascript: uris from the address bar and making people use the developer tools instead).
You can implement rate limiting so that a script can’t make a user follow 10s of people in a short period of time.
You could have the request be one that requires a full page request to a different subdomain, and have that subdomain pull up a conformation request back to the original server. Since the user has to interact with data from two host names, a single pasted script won’t be able to go through the full process (since the same origin policy exists). That is probably overkill though.