Member Avatar for extjac

Hello, what would be the best way to prvent people to run a php script/file that is on ajax.post(URL)

$.ajax({
  type: 'POST',
  url: 'http://www.mydomain.com/ajax/somefile.php?action=insert',
  data: data,
  success: success,
  dataType: dataType
});

if you see code above...let's say that an advanced user or hacker go to: http://www.mydomain.com/ajax/somefile.php?action=insert i would like to echo something like: go away...and prevent any code for running.

I saw codeigniter uses this at the top of every file:

if (!defined('BASEPATH')) exit('No direct script access allowed');.

Any recomendation??? .htaccess????

Edited by extjac
  • 2 Contributors
  • 2 Replies
  • 283 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by extjac
Member Avatar for diafol

I'll have a go at this as nobody has replied yet. I'm no expert at this, but AFAIK, you can't secure an ajax call. It's made from the client so it can be faked easily.
You could do this:

if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
     ...see if it's an ajax call...
}

But this won't protect you. Your php code should be locked down to only work with a user login if it completes any changes to the DB or files. Otherwise, what harm can it do? Make sure that all error reporting is off in your production site - you don't want to give away any details about your DB or your code.

You could use session id possible with a hash and check it in the php file.

Edited by diafol
Member Avatar for extjac

thank u sir!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.