关于如何将ajax与django结合使用的所有tutorias都说我应该做这样的事情。但是这样做安全吗?有人不能只是将浏览器中的值更改为某些恶意SQL吗?如果是这样,如何预防呢?
javascript
text = this.previousElementSibling.value;
parent = this.parentNode.id;
ajax.open('POST', '/post/comment/', true);
ajax.onreadystatechange = function(){
if(this.readyState == 4) {
reply = document.createElement("DIV");
reply.classList.add('post');
reply.innerHTML = this.responseText;
document.getElementById('comments').appendChild(reply);
}
}
ajax.setRequestHeader("X-CSRFToken", csrf_token);
ajax.setRequestHeader('Content-Type', 'application/json');
ajax.send(JSON.stringify({'text': text,'parent': parent}));
views.py
def post_comment(request):
if request.method == 'POST':
body = json.loads(request.body.decode('utf-8'))
parent = Post.objects.get(pk=body['parent'])
comment = Comment.objects.create(
author=request.user,
parent=parent,
group=parent.group,
text=body['text']
)