Ajax Only Access

AJAX only access

You cannot reliably prevent this from happening. The key really is not to consider someone accessing this file directly as a security issue - plan for this being possible and you will be in a much more secure place.

Some people might recommend code that looks like this (or similar):

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) 
     && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
    // more code here
}

However, the fact of the matter is that HTTP headers can be spoofed quite easily and are not a means of securing code. In my testing on a busy site a while back i noticed that these headers are not actually that reliable anyway.

how can i restrict the access to only ajax requests?

With expressjs, you can respond only to xhr requests like this:

function handleOnlyXhr(req, res, next) {
  if (!req.xhr) return next();
  res.send({ "answer": "only is sent with xhr requests"});
}

(in your example, routes.inicio.inicio would use the pattern above by checking req.xhr)

PHP - Only allow access via AJAX

Would it be possible somehow to only allow access to those files using ajax, and not just by browsing to them?

No.

You could add extra HTTP headers, or modify existing ones (such as Accept) when you make the request from JavaScript … but since you are trying to do this for security reasons, that would be insufficient.

Of course I could import my user class and authenticate each of the AJAX files individually

Do that. Ajax requests are not special. They are just HTTP requests. End points created for Ajax should be secured with authentication/authorization just like any other HTTP request end point.

What is the best way to ensure a page was only accessed through the AJAX form in order to process it?

if (isset(($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') && $_SERVER['HTTP_X_REQUESTED_WITH']))
{
  // Code that will run if this file called via AJAX request
} 
else 
{
  // Code that will run when accessing this file directly
}

Prevent a File for Direct Access should only access by Jquery Ajax

I would implement some fundamental concepts here. I try to describe them here as simple as possible:

1) In your GET request (calling your CreateAdmin.php) start a session (if not already done) and create a random string that you store to your session:

$_SESSION["token"] = sha256(uniqid(mt_rand(), true));

2) Add the token to your form as a hidden field

<input type="hidden" name="token" value="<?php echo $_SESSION["token"]; ?>">

3) Now do a http POST request with jQuery Ajax call (should not be a GET request). Important include your hidden token from the form. You could also include a special value in your JS that indicate that this is coming form a Ajax call, but this dose not make your Save.php more secure (see below).

4) In you Save.php check first if the call is a POST request, if not do not continue. Than check if the hidden token is included and matching the value in the session (you have to start it), if not do not continue.

if (!isset($_POST['token']) || $_POST['token'] != $_SESSION['token']) die('invalid');

5) If both checks pass you can continue to do your DB stuff but first I would do some additional checks about your data quality that means if the rest of the input is valid e.g.:
Field is not empty if required or the field values has a minimum or maximum length or check if only allow characters included, etc.

6) In all cases I would delete the token from your session.
Generate a new one for the next request if required.

You maybe also want to limit the time how long a token is valid, or check if the user from this session has the right to do this action.

There will be no speed issue with this. There are more things that could be considered but this should be the minimum.

For example you ask that this request should be only possible by Ajax. To be honest I would not take to much effort to check this. You could try to check if the "HTTP_X_REQUESTED_WITH" with "XmlHttpRequest" was included, but this dose not give you much more security. You can simulate a Ajax/POST request very easy in any modern Bowser with the Developer Tools. But with the described method it is not enough just putting the path to your Save.php file in the Browser.

Disallow direct access while allowing ajax call

Am not sure its just a single PHP file or you are using any Framework or a CMS.

But you can try, 

if (__FILE__ == $_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF'] && !isset($_GET['ajax'])){
  die("Direct access forbidden");
}

Invoke this file using 

xmlhttp.open("GET","getverse.php?ajax=1",true);

Related Topics

Does the Order of Class Definition Matter in PHP

Domxpath - Get Href Attribute and Text Value of an a Element

How to Calculate Time Difference in PHP

Transfer Variables Between PHP Pages

Wordpress Fatal Error: Uncaught Error: Call to Undefined Function MySQL_Connect() in /Wp-Includes/Wp-Db.Php:1570

$_Post Max Array Size

Call to Undefined Function Odbc_Connect() Message While Connecting Sap Hana Database

How to Get Data in Function Extend Controller

$Php_Autoconf Errors on MAC Os X 10.7.3 When Trying to Install Pecl Extensions

When to Use Index.PHP Instead of Index.Html

How to Call a PHP Function from Ajax

Check If "Exec" Is Disabled

Using Simplexml to Load Remote Url

JavaScript Function Post and Call PHP Script

Mysql_Connect(): No Connection Could Be Made Because the Target MAChine Actively Refused It

Datetime Class VS. Native PHP Date-Functions

Call to Undefined Method Domdocument::Getelementsbyclassname()

How to Retrieve Comments from Within an Xml Document in PHP


Leave a reply



Submit