[RESOLVED] HTTP_REFERER

mykg4orce

Hello;

long while since I posted here..

I am using a validator.php file to validate some textfield via AJAX.

I want to prevent anyone from directly accessing the validate.php file. The path to which is in my JavaScript (AJAX) code.

I have used a simple if statement like this...

if ($_SERVER['HTTP_REFERER']) {

  .
  .
  .
  my code
  .
  .
  .

}

So far i can still execute my code from within the page the contains the AJAX code, but when I try to access the file directly from my address bar I get an error. So it seems to do what I want.

I wanted your opinion on whether this is an efficient and/or reliable method of keeping unwanted views of the validate.php file.

I was also thinking about using the SCRIPT_NAME, so that the file will only allow access to its code if the script trying to access it is the page where my AJAX code is, but then I will have to take into account all the files I would be using to access this validator.php class.

Thank You

NogDog

The http_referer is not reliable, as it is not a required request header, so not every client will send it, plus it's easy for a hacker to spoof it.

mykg4orce

any other suggestions then?

NogDog

You could use a session variable, setting it in the main script and checking for it in the script called by the AJAX function. Strictly speaking, it would not stop someone from calling the script directly, but they could only do so after calling the main script first.

mykg4orce

i see your point.....hmmm

Horizon88

I use something similar to this, without the ajax.

My first page has this:

define('variable', TRUE);
// code here

then the second page has:

if (!defined('variable')) {
header('location: firstpage.php');
exit;
}
else {
// code
}

I dunno if that would help with the ajax or not though...

mykg4orce

excellent, simple yet effective.

Horizon88

That's how I roll. 😛 Don't forget to mark it resolved if this does it for you.