Should the PHP files that do processing/validation of data called by AJAX be put in 'include' folder and made inaccessible to the user?

Question

My Question is suppose I have a form which needs validation through AJAX. The AJAX is sending data to to a file called do_ajax_validation.php. Now should I put this file in 'include' folder and name it do_ajax_validation.inc.php and bar it from direct access of the user or should I put it in the directory in which the original form resides?

Edit: And the same question is for the files which do processing of data of forms (or the files which are defined in the action property of the form tag)

Answer 1

You can't prevent the user from directly accessing the file. If you do, you prevent the XMLHttpRequest object from accessing it too!

You should have a reasonable URI for the XHR to access. Beyond that, structure your files in whatever fashion makes the site easiest to maintain.