Securing scripts meant to be used with Ajax
Posted: Fri Apr 24, 2009 6:54 am
I usually put this line on the top of the php scripts which I don't want directly accessed, like contact form validation/sending etc.
I want to use some functions of these php scripts I want to request with ajax (jQuery). If I place the above code in those scripts, the ajax request will return "Direct Access Denied.", so I need to remove it. This means someone could access these scripts directly from now on (as he can also see the filename in the page source). How can I fix this? Is there a method to tell if the page was requested via ajax?
On another note can someone use include()/require() to include a php script from my server to his own or request it via ajax? If yes, how can I fix this?
Code: Select all
if ('mypage.php' == basename($_SERVER['SCRIPT_FILENAME']))
{echo "Direct Access Denied.";exit;}On another note can someone use include()/require() to include a php script from my server to his own or request it via ajax? If yes, how can I fix this?