Limiting access to script, only ajax requests?

foyer

I'm using the jQuery library, and I'm looking for some incite on what I should do to limiting access to a PHP script unless it is an ajax request. Can I use _SERVER["HTTP_X_REQUESTED_WITH"]?

dagon

Some server globals are specific to how the software has been set up, so i would check on your server to see what is there that you can use. you could always add a query string to the request for validation

ie:

ajax.php?test=fheryucherigfnrberucvndrrufifm

if($_GET['test'] !='fheryucherigfnrberucvndrrufifm'){
exit('bad');
}

unless someone has access to your php they wont know the string.

NogDog

I cannot think of any way to absolutely prevent it, but you could prevent casual requests to it by using sessions along with something like Dagon suggested.

main_page.php:

<?php
session_start();
$_SESSION['token'] = uniqid();
$ajaxUrl = "ajax.php?token=" . $_SESSION['token'];
// use $ajaxUrl in your AJAX JavaScript
?>

ajax.php

<?php
session_start();
if(!isset($_GET['token']) or $_GET['token'] != $_SESSION['token'])
{
   exit;
}
// rest of script
?>

foyer

Thanks guys, I think I'm just going to scratch the ajax after all.