• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Question about securing my PHP

mrgstiffler

[H]F Junkie
Joined
Dec 20, 2000
Messages
13,410
So I have a few PHP scripts that are used exclusively asynchronously by Javascript. Anybody have suggestions on how I could limit the PHP files to only be accessed by the Javascript xmlhttprequest?
 
Require some sort of session ID token to be sent as a parameter to the site.

At the end of the day, it's just an HTTP request. Anything Javascript could do could be done through any HTTP requester. So you need some sort of authentication mechanism.
 
I know many browsers send a special header indicating if it's a xmlhttprequest. I use the Zend Framework for my development and they include a function to actually do what you asking. This is the function they use:

****Obtained from Zend Framework 1.9.0 source****
public function isXmlHttpRequest()
{
return ($this->getHeader('X_REQUESTED_WITH') == 'XMLHttpRequest');
}
*******************

So you just need to grab the X_REQUESTED_WITH header and see if it contains XMLHttpRequest
 
Back
Top