tags:

views:

95

answers:

4
+5  Q: 

PHP and AJAX security question

I am currently building a web app in which PHP files are loaded into a main file using jQuery's $.ajax function. However, the PHP files are obviously still accessible outside of the app, by just typing the files name in the address bar.

So my question is what would be the best way to make it so that the PHP file being 'ajaxed' in knows that it is contained in the correct page and will function correctly, but if it is accessed in any other way (even if someone were to make they're own website and AJAX in my PHP file) then the file should say "access denied" or something.

Thanks in advance

+6  A: 

Quoting Eran Galperin from a similar discussion

As others have said, Ajax request can be emulated be creating the proper headers. If you want to have a basic check to see if the request is an Ajax request you can use:

if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
 //Request identified as ajax request
}

However you should never base your security on this check. It will eliminate direct accesses to the page if that is what you need.

Please take this answer by Jeremy Ruten also into account:

There is no way of guaranteeing that they're accessing it through AJAX. Both direct access and AJAX access come from the client, so it can easily be faked.

Why do you want to do this anyways?

If it's because the PHP code isn't very secure, make the PHP code more secure. (For example, if your AJAX passes the user id to the PHP file, write code in the PHP file to make sure that is the correct user id.)

More clever thoughts in the discussion linked above.

middus  2010-07-29 12:04:33
So how exactly is someone supposed to access this page with an XMLHttpRequest? Are you aware of the same origin policy?
Rook  2010-07-29 15:16:41
I am aware of the same origin policy. The check for XMLHttpRequest can be made in order to find out whether the script hast been called via AJAX (i.e. your own script) or whether someone pointed his browser to this location. Calling the script from the Firbug console of your own site is a different story, though.
middus  2010-07-29 16:32:20
A: 

It's not simple and propably there is no way to do that at all. You can require of some POST variables in your php file and send them in your AJAX request. This will secure you from someone who simply paste URL in his browser.

Nobody can AJAX your site from other domain (security issues), but always can connect and drieclty send http request, for example by cURL.

You can create some token in cookies, that will be also seen from jquery request, but that solution can also be hacked.

killer_PL  2010-07-29 12:07:33
A: 

you could also block hotlinking if you are worried that others might access your content without your approval

see: http://www.htmlbasix.com/disablehotlinking.shtml

Christian Smorra  2010-07-29 12:09:18
A: 

JavaScript running on another domain cannot access any page on your domain because this is a violation of the Same-Origin Policy. The attacker would need to exploit an XSS vulnerability in order to pull this off. In short you don't need to worry about this specific attack, just the same old attacks that affect every web application.

Rook  2010-07-29 15:15:57

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases