For AJAX on my website, I make calls from a Javascript file to something.php?request=bla. I don't want the user to view the results of this request or even run the PHP file by typing in www.myurl/something.php?request=bla. I only want files on my server to be able to call PHP files. There are many things I have considered, such as secret values that get pared in the PHP scripts themselves, but that sounds too plicated for what I want. I am sure there is a simpler way.

How do I make it so that a PHP file can only be run if a script existing ON THE SERVER calls it? Users should not be able to run it using their address bar.

For AJAX on my website, I make calls from a Javascript file to something.php?request=bla. I don't want the user to view the results of this request or even run the PHP file by typing in www.myurl./something.php?request=bla. I only want files on my server to be able to call PHP files. There are many things I have considered, such as secret values that get pared in the PHP scripts themselves, but that sounds too plicated for what I want. I am sure there is a simpler way.

How do I make it so that a PHP file can only be run if a script existing ON THE SERVER calls it? Users should not be able to run it using their address bar.

• php
• javascript
• html

Share Improve this question Follow asked Apr 26, 2011 at 10:40 DalalDalal 1,11622 gold badges1717 silver badges3838 bronze badges 1

• 1 I'm afraid there is no simpler way than to create a unique hash when generating the page containing the private AJAX request. Save the hash to the session and also as parameter of the AJAX call. Upon call of the PHP script decide whether the call was private by paring the hash being submitted with the hash you've saved into the session. Like Pekka said, the AJAX request is client side, so you cannot control it in any way. – Jürgen Thelen Commented Apr 26, 2011 at 11:37

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 8

This is fundamentally impossible. Your Ajax request is always ing from the client.

You could in theory check for the HTTP_REFERER header, but as a security measure, this is pletely useless. Every aspect of a request (Ajax or not) that es from the client can be freely manipulated, including the referer field. It is trivial to fake an Ajax request that allegedly was started on your page.

It shouldn't be necessary for you to impose such a restriction in the first place: If you have a security system in place (like a login), that system's restrictions will (or should) apply to Ajax requests as well.

If you have Ajax requests that allow harmful actions (like deleting) without authentication, you will need to add authentication. There is no way you can limit those requests to a certain context or web site.

Use POST for all your AJAX calls, and reject all GET requests. That won't be perfect, but it will be good enough.

As workaround (only!) you can probe for the X-Requested-With: header. That differentiates real AJAX requests from address bar invocations. You cannot ensure the origin of the request with that.

if (stristr($_SERVER["HTTP_X_REQUESTED_WITH"], "XMLHttpRequest")) {

(You could inject some more obfuscation headers with your $.ajax() calls. But again, that's just making it more cumbersome to fake, not impossible.)