Prevent Direct Access To File Called By ajax Function
Most Ajax requests/frameworks should set this particular header that you can use to filter Ajax v Non-ajax requests. I use this to help determine response type (json/html) in plenty of projects:
if( isset( $_SERVER['HTTP_X_REQUESTED_WITH'] ) && ( $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' ) )
{
// allow access....
} else {
// ignore....
}
edit:
You can add this yourself in your own Ajax requests with the following in your javascript code:
var xhrobj = new XMLHttpRequest();
xhrobj.setRequestHeader("X-Requested-With", "XMLHttpRequest");
Prevent Direct access to PHP file using AJAX
Your code is unnecessarily overcomplicated. If your intent is merely to ensure that visitors to protected.php have first visited index.php then all you need to do is create a session flag in one and check for its existence in the other. There is no need for any AJAX or any form POSTs. The innate behavior of PHP sessions already gives you this functionality.
index.php:
<?php
session_start();
$_SESSION['flag'] = true;
?>
<a href="protected.php">click here for the protected page</a>
protected.php:
<?php
session_start();
if ($_SESSION['flag'] ?? false) {
echo "you have previously visited index.php";
} else {
echo "you have not previously visited index.php";
}
?>
Prevent direct access to a PHP page
As others have said, Ajax request can be emulated be creating the proper headers.
If you want to have a basic check to see if the request is an Ajax request you can use:
if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
//Request identified as ajax request
}
However you should never base your security on this check. It will eliminate direct accesses to the page if that is what you need.
Prevent a File for Direct Access should only access by Jquery Ajax
I would implement some fundamental concepts here. I try to describe them here as simple as possible:
1) In your GET request (calling your CreateAdmin.php) start a session (if not already done) and create a random string that you store to your session:
$_SESSION["token"] = sha256(uniqid(mt_rand(), true));
2) Add the token to your form as a hidden field
<input type="hidden" name="token" value="<?php echo $_SESSION["token"]; ?>">
3) Now do a http POST request with jQuery Ajax call (should not be a GET request). Important include your hidden token from the form. You could also include a special value in your JS that indicate that this is coming form a Ajax call, but this dose not make your Save.php more secure (see below).
4) In you Save.php check first if the call is a POST request, if not do not continue. Than check if the hidden token is included and matching the value in the session (you have to start it), if not do not continue.
if (!isset($_POST['token']) || $_POST['token'] != $_SESSION['token']) die('invalid');
5) If both checks pass you can continue to do your DB stuff but first I would do some additional checks about your data quality that means if the rest of the input is valid e.g.:
Field is not empty if required or the field values has a minimum or maximum length or check if only allow characters included, etc.
6) In all cases I would delete the token from your session.
Generate a new one for the next request if required.
You maybe also want to limit the time how long a token is valid, or check if the user from this session has the right to do this action.
There will be no speed issue with this. There are more things that could be considered but this should be the minimum.
For example you ask that this request should be only possible by Ajax. To be honest I would not take to much effort to check this. You could try to check if the "HTTP_X_REQUESTED_WITH" with "XmlHttpRequest" was included, but this dose not give you much more security. You can simulate a Ajax/POST request very easy in any modern Bowser with the Developer Tools. But with the described method it is not enough just putting the path to your Save.php file in the Browser.
Disallow direct access while allowing ajax call
Am not sure its just a single PHP file or you are using any Framework or a CMS.
But you can try,
if (__FILE__ == $_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF'] && !isset($_GET['ajax'])){
die("Direct access forbidden");
}
Invoke this file using
xmlhttp.open("GET","getverse.php?ajax=1",true);
Block direct access to PHP file except from AJAX request?
If you're using jQuery to make the XHR, it will set a custom header X-Requested-With. You can check for that and determine how to serve your response.
$isXhr = isset($_SERVER["HTTP_X_REQUESTED_WITH"])
AND strotlower($_SERVER["HTTP_X_REQUESTED_WITH"]) == "xmlhttprequest";
However, this is trivial to spoof. In the past, I've used this to decide whether to render a whole page (if not set) or a page fragment (if set, to be injected into current page).
Related Topics
Need to Write At Beginning of File With PHP
Convert/Cast an Stdclass Object to Another Class
Laravel View Not Found Exception
What Is Autoloading; How to Use Spl_Autoload, _Autoload and Spl_Autoload_Register
How to Write a File in Utf-8 Format
How to Create Helper Methods on Laravel Not a Facade
How to Mimic Stack Overflow Auto-Link Behavior
Right Way to Escape Backslash [ \ ] in PHP Regex
How to Prevent My Site Page to Be Loaded Via 3Rd Party Site Frame of Iframe
PHP Threading Call to a PHP Function Asynchronously
How to Make a Simple Crawler in PHP
How to Upload & Save Files With Desired Name
Reference - Composer Error "Your PHP Version Does Not Satisfy Requirements" After Upgrading PHP