Hi all, I've been using ajax for a while and I've been storing my trivial php include files in the public directory tree. Then I thought, I really should be putting my classes and includes above the public document root (as I used to do before I started dabbling with ajax).
I know js can't access anything above document root, but a php file called by ajax js could. That just seems like a fudge to me (?).
I suppose the php file being called by ajax HAS to be within doc root otherwise it couldn't work. Seeing as headers can be spoofed, it's almost impossible to protect against remote-site calling of these php files. Can't help thinking of some sort of session variable...
Has anybody out there any experience of this? How did you overcome it? Or am I missing something here?