2

I've read a lot about .htaccess rules, checking headers, using encryption etc.. but I haven't found exactly the answer I'm after. I know that assuming the server is set up right, you can't access my precious PHP scripts with AJAX. I tried checking if an access variable was defined which disallowed address bar access but also blocked my AJAX requests.

If I have some PHP scripts that I use for AJAX calls, is there a way that I can prevent address bar access, PHP POST (cURL etc) as well as AJAX from outside my domain (assumed via cross-domain access restrictions) ?

Improve this question
5
  • 1
    You can't prevent public (AJAX or not) access and at the same time allow it. Commented Apr 10, 2013 at 17:22
  • So anyone who knows the path to my scripts can use AJAX to modify my SQLite database? Commented Apr 10, 2013 at 17:23
  • 1
    @paranoid-android No, you should be protecting your AJAX requests via some kind of authentication. "AJAX" doesn't imply "unauthenticated". Commented Apr 10, 2013 at 17:23
  • 1
    Anything is possible, you could listen for anything that is'nt an ajax request, and display a message when someone tries to directly access the PHP file, but headers are easily spoofed, so that's not really secure. You could use .htaccess to block access from any IP that is'nt your own, or you could use PHP to do the same etc. Commented Apr 10, 2013 at 17:25
  • 1
    You can make it difficult, but you can't make it impossible. Commented Apr 10, 2013 at 17:28

4 Answers 4

Reset to default
5

There is NO way absolutely to safely/reliably identify which part of the browser the request comes from -- address bar, AJAX. There's a way to identify what is sending though browser/curl/etc via User-Agent header (but not reliably)

A quick but a lot less reliable solution would be to check for the following header. Most browsers attach it with AJAX calls. Be sure to thoroughly look into it, and implement.

X-Requested-With: XMLHttpRequest

NOTE: Do not trust the client if the resource is cruicial. You are better off implementing some other means of access filtering. Remember, any one can fake headers!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can check whether the request isn't an Ajax request and forbid it, but it's not really safe due to the fact that the headers can be manipulated.

What you can do is to block every IP except the IP which is allowed to access those files.

What can do either is do implement a kind of authentication, where external applications have to send credentials to your script and the scripts checks if the client is valid.

Many ways, but they're all not really the best ways to achieve maximum security.

Improve this answer

Comments

0

I do not know definitely. However – indirectly, you can do this. Pass a unique and constantly changing parameter (GET or POST) that only you have access to as proof of the origin. If the request lacks this unique variable, then its not from you. Think outside the box on this one. Could be anything you want, here are some ideas.

1) pass the result of a mathematical equation as proof of origin. Something that you can programmatically predict, yet not obvious to prying header hackers. i.e cos($dayOfYear) or even better base64_encode(base64_encode(cos($dayOfYear))).

2) store a unique key in a database that changes every time someone access the page. Then pass that key along with the request, and do some checks on the end page, if they dont match up to the database key, you've found the peeping tom. (note there will be logic involved for making sure the key hasn't changed in between transmission of requests)

etc..

Improve this answer

Comments

-1

Try to catch if isset SERVER['HTTP_ORIGIN'] from the POST access, it must be identical to your domain. If so, then the POST is generated by yourselft website and it's safe to process it.

Improve this answer

1 Comment

This is not a good answer. Amongst other reasons because it starts with the word "Try". It might have made a reasonable comment though. I'd encourage you to make the conversion before you're saddled with a hail of down-votes.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.