[RESOLVED] Security for AJAX Data Flows

jalperin

I have data in a mySQL database that needs to be displayed via AJAX techniques (I'm using Spry) by a script called main.php. Only logged-in users can access main.php. Instead of the non-AJAX way of having main.php make direct database calls, I have another script xmldata.php which generates the xml-formatted data on-the-fly from the mySQL database for consumption by main.php.

All this works, but the problem is that unauthenticated users could access xmldata.php directly, thus bypassing authentication. What's the best way to prevent this? In other words, I want to be sure that the script xmldata.php can only be run by main.php (or other scripts which might need the same data).

NogDog

Have the xmldata.php script validate the user the same as any other login-controlled script you use (such as checking for an appropriate session variable if using session-based login control). The only difference might be in how you handle any invalid user conditions.

jalperin

Of course! Thanks.