Is there an ajax library for CodeIgniter that can invoke private controller methods and that currently works?

Question

Hi there.

Last time I did PHP I worked with CodeIgniter. To implement AJAX I used the XAJAX library, which was extremely simple and was capable of invoking private controller methods. Unfortunately XAJAX does not seem to be compatible with the latest version of CodeIgniter, or it might just be that it is not compatible with php5.2/5.3.

I was thinking of using jQuery, but since jQuery sends requests to an accessible URL it isn't able to invoke private methods. One of the reasons I want to use private controller methods for some of the ajax functionality is because I do not want the functionality to be directly accessible via an URL.

So, is there an ajax library for CodeIgniter that can invoke private controller methods?

EDIT: treeface's answer has helped me out by pointing out that jQuery has a .post() method. However, I am still looking for a library for CodeIgniter that plugs AJAX functionality in the framework. I would prefer to work with AJAX via PHP and CodeIgniter itself rather than typing out jQuery in my templates. Is there such a library around still?

Answer 1

Hey John,

Hm this is kind of an odd question to approach. If you want to call something on your server from Javascript, you can do it in one of two ways (ignoring web sockets for the moment):

1. A GET request where only a URL string and headers are sent to the server. With this method, you put your request information in the URL.
2. A POST request where a message of arbitrary length is also sent along with your URL and headers. In this method you could place variables in your URL, but it would be wiser to place them in your message body.

It's important to note that jQuery has a GET method and a POST method, so your comment about how jQuery "sends requests to an accessible URL" is true, but incomplete. It also supports post requests.

With either method, it is impossible to hide something from a dedicated malcontent regarding which controller methods you're invoking, or how you invoke them. If you send your information via GET or POST, they can easily simulate that function in their browser and send a request to your controller that perfectly replicates that which is in your code. For anything that is public-facing, you will want more comprehensive security measures (where needed) than simply restricting direct URL access to controller functions.

So back to your question..."not making it accessible via a URL"...it seems kind of an odd problem to solve since if you make it inaccessible via a URL, you could just as easily access it via a POST request. But ignoring this for a moment, the way I'd do it is this...

1. Create a public controller method that handles an incoming POST request (or group of POST requests). Inside this method search for a specific variable which will tell your controller which private methods to invoke.

2. In Javascript, include a variable in your POST message that can be set to whatever value you like. You can think of this as your method trigger that will be read by your controller to decide which private method to invoke as described above.

Any CI AJAX library that you can find that "accesses private methods" is assuredly doing some derivation of this. Remember: anything you do in your javascript can be seen by others, and therefore can be replicated.