hidden file problem in ajax

I saw a question in google groups (jquery) last week.
http://groups.google.com/group/jquery-en/browse_thread/thread/4fc3dc88359f93f5?hl=en

For example I have a page: http://mysite.com/content/index.php.
On this page I use $.ajax:
$.ajax({
type: “GET”,
data: “data=123456”,
dataType: ‘html’,
url: “temp.php”,
error:  function(msg) {…},
success: function(msg) {…},
complete: function() {…}

});

where temp.php – http://mysite.com/content/temp.php. On temp.php I use
requests for DB with param from $.ajax – data=123456.

How I can protect page temp.php? For example, somebody typing
http://mysite.com/content/temp.php?data=123456 and then he can get all
results.

I found one solution – using if($_SERVER[‘HTTP_REFERER’] == “http://
mysite.com/content/
“) {….}

But Am not shure that it can realy protect my page? Or Am not right?

——

And i have tried something to avoid the view of that hidden page…

Option1:

By HTTP_REFERER
just adding a line at the beginning in temp.php we can prevent the access
if(!$_SERVER[‘HTTP_REFERRER’])
exit;

this will stop the execution when the page accessed directly.
BUT, some say it will not work in all browsers.

So we can try,
Option 2:
By POST data
Change the above javascript – replace GET by POST
$.ajax({
type: “POST“,
data: “data=123456”,
dataType: ‘html’,
url: “temp.php”,
});

Add these lines in temp.php at top
if($_GET)
exit;
this will stop execution if the data given by query string like http://mysite.com/content/temp.php?data=123456

By combining the above two we can write
if($_GET || !$_SERVER[‘HTTP_REFERRER’])
exit;

This will stop accessing the ajax hidden page directly.

Advertisements
This entry was posted in Ajax, Jquery, PHP, Tutorial and tagged , . Bookmark the permalink.

One Response to hidden file problem in ajax

  1. Thanks for every other excellent article. Where else may just anybody get that kind of info in such a perfect manner of writing? I have a presentation next week, and I’m at the look for such information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s