Sindarin wrote:I usually put this line on the top of the php scripts
I think it's better this way:
Code: Select all
if (!defined('IN_MY_SCRIPT')) exit;
Sindarin wrote:This means someone could access these scripts directly from now on
"AJAX" files can be always accessed directly.
Sindarin wrote:Is there a method to tell if the page was requested via ajax?
Not really.
Sindarin wrote:On another note can someone use include()/require() to include a php script from my server to his own or request it via ajax? If yes, how can I fix this?
I'm not sure what you mean by this. Why would this be for any harm? He cannot access your PHP code if that is what you thought... he can include the output (HTML usually or JSON) on his server, which does not do any harm to you.
"AJAX" files are just like other files on your server that are being requested directly. Make sure you have proper input/output filtering in place and so forth. Just remember that even if your AJAX calls do something, they can end up malicious when your server receives them if the user altered them in anyway. Therefore it is crucial to take all input seriously.