I read documents online. They say that
A GET-Ajax request is used for getting data from the server.
A POST-Ajax request is used for change data on the server.
But why is it?
A Get-Ajax request can change the data on the server TOO, right?
Why should only the POST-Ajax request change the data?
Is it because of a security reason or something? Please explain to me
GET and POST are different methods for web requests that provide different features/describe different intentions for programmers and APIs. You are correct that, technically speaking, if you want to do some other CRUD operation on the server when using a GET request, you can. Most would probably argue that this is not a good idea, in part for security/performance features that either method provides. Example: GET requests can be cached, POST cannot.
More on that here: https://www.w3schools.com/tags/ref_httpmethods.asp
Related
I'm using GraphQL (Spring Boot, Kotlin), and I have a specific issue with headers.
We need the client to send three pieces of information that we combine to retrieve internal sensitive data. That data is then used inside resolver codes.
Getting the headers from rest is as easy as #RequestHeader, but in GraphQL it has proved quite challenging. Is there a way I can save the headers to check for the three pieces of information I need?
I looked closely at spring security, but I can't figure out how to get a custom method to work in my method chain, much less save the headers in a way that I can access them from the domain layer.
I could always simply request the auth as a GraphQL type, but that puts a fairly high burden on the client and complicates the schema.
Any and all feedback is welcome.
GraphQL has a FetchDataEnvironment. You can use it by passing FetchDataEnvironment as the last variable in any resolver/query. Then, just call
environment.getContext<GraphQLEnvironentClass>().getHttpServletRequest.headers()
To anyone in the future - I'm sorry this code isn't exact, but your strong typing in your IDE will show you what I mean.
So I've done quite a bit of reading on stackoverflow and found a lot of question about how to do cross domain calls with either ajax post or jsonp. I know how to do that in both ways but let's do a reality check:
AJAX Post, if I use phonegap to compile the package, cross domain call is automatically availability . Or iframe wrapper etc can be used to hack around the security constraint.
use JSONP format, it's HTTP GET but I get cross domain capability for free as that's what JSONP is for. The data to be posted will be passed as a parameter value instead of being a payload as in an HTTP POST request.
Now my question is that is there a best practice/preferred way among the two? Pros and Cons?
Personally I don't see a practical difference between two. i.e. in a non-encrypted request, both POST or GET expose everything in clear text anyway, so they are just same piece of text arranged in different formats. My main concerns are around extension to make the connection secure and spam proof but there could be other stuffs that I probably should be mindful about as well - educate me please! E.g. easeness to add HTTPS over SSL or if I want to restrict who can send request to my server. I'm new to web technology (i.e. defined standards, protocols, frameworks) but am reasonably experienced on general development/computer science topics.
I have an app that I am trying to pull data from a remote database. I have the url and the table columns and database name but i'm not sure how to call on that database with an http get. Below is my code:
def self.data
BubbleWrap::HTTP.get("url", {credentials: {username: '***', password: '***'}}) do |response|
p response.to_s
end
end
I know this request is working because it shows me data in the console.I can't find anywhere how to request information from a database attached that url. Any help would be greatly appreciated. I have been working with Ruby for a year now but new to RubyMotion.
Not sure to understand exactly your question, but you might want to take a look at this link and this one, explaining how to retrieve and handle data from a service.
Hope it helps.
This may be too elementary, but with an HTTP request you are not querying a database, you are requesting data from an HTTP server. It's the job of the server to look your request over, go to the database, retrieve the data, package it (often in JSON format), and ship it back. I believe that's what #railsdog was referring to in terms of marshaling.
Now, a couple of other comments:
"url" in your code should be an actual endpoint like https://my.server.org/api/some_endpoint.json. The payload containing credentials can be attached as a query string, however, you might want to consider POST and SSL, as I say in my next point.
You should never send credentials in clear text over HTTP. If you have to send sensitive information, use HTTPS (set up your server to respond to SSL-encrypted requests).
It's probably best to authenticate once on first request and get a token you can use on subsequent requests so as not to expose usernames and passwords unduly. Perhaps you can fill in a few blanks about what your server is (Rails, some public API, other) and it will make it easier to help.
You will need to accept the data from the server in some recognizable format. JSON is very well supported. BubbleWrap has a JSON parser to help turn the results into a hash. Alternate formats are XML (ick) or XML-RPC (ick, ick), or SOAP (ick, ick, ice).
If you're way ahead of me on this and it's too basic to be of use, I apologize.
Let's say we have a simple node JS backend, paired with a standard NoSQL document store such as CouchDB. Since our database is just a document key-store with no schema, anything can get inserted. And since our server is built on JSON as well, ultimately POST requests that come in from the client with JSON payloads end up getting stored directly into our data store.
This of course is very convenient and makes for a lightweight application. I've been wondering, though, short of writing code for every possible insertion endpoint to verify that each POST or PUT request is well-formed, is there anything to prevent an attacker from firing up their developer console and spoofing POST/PUT requests, allowing them to insert any kind of junk data they wish into our datastore? It would not be too difficult to wreck an application's data this way.
Clearly token-based authentication can ensure that only authenticated users can access these service endpoints, but that doesn't prevent them from spoofing these request with the same HTTP headers that valid requests have. This is all quite simple with today's browser developer tools.
In a traditional server language like Java, JSON PUTs and POSTs are marshalled to a highly-structured class-based Object. Requests whose payloads do NOT match these formats are rejected with HTTP errors.
Does anyone know of tools or paradigms for node which ensures that requests like this meet some basic structure criteria?
I know all about SQL injections, and peeking into javascript files that a website uses, and also that GET requests contain all of the information in a URL.
Is there any security concern that is special to AJAX and only pertains to using AJAX?
For example, sending post requests via AJAX seems completely safe to me. Barring SQL injections, I can't think of one thing that could go wrong... is this the correct case?
Also, are "requests" of any kind that a user's browser sends or any information it receives available to be viewed by a third party who should not be viewing? And can that happen to AJAX post requests ('post' requests specifically; not 'get')?
It's like any other form of data input: validate your values, check the referrer, authenticate the session, use SSL.