Hello, what would be the best way to prvent people to run a php script/file that is on ajax.post(URL)

  type: 'POST',
  url: 'http://www.mydomain.com/ajax/somefile.php?action=insert',
  data: data,
  success: success,
  dataType: dataType

if you see code above...let's say that an advanced user or hacker go to: http://www.mydomain.com/ajax/somefile.php?action=insert i would like to echo something like: go away...and prevent any code for running.

I saw codeigniter uses this at the top of every file:

if (!defined('BASEPATH')) exit('No direct script access allowed');.

Any recomendation??? .htaccess????

Edited by extjac

4 Years
Discussion Span
Last Post by extjac

I'll have a go at this as nobody has replied yet. I'm no expert at this, but AFAIK, you can't secure an ajax call. It's made from the client so it can be faked easily.
You could do this:

if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
     ...see if it's an ajax call...

But this won't protect you. Your php code should be locked down to only work with a user login if it completes any changes to the DB or files. Otherwise, what harm can it do? Make sure that all error reporting is off in your production site - you don't want to give away any details about your DB or your code.

You could use session id possible with a hash and check it in the php file.

Edited by diafol

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.