when use GET Method for receive JSON data , we can acsses the result directly from web browser , for example i send a mydata value from ajax to a main.php file and it process and get answer show a result some thing like below :
<?php
if (isset($_GET["mydata"])) {
if ($_GET["mydata"]=="hello"){
echo "hello world";
}
}
?>
but when a user call it in browser directly like http:mysite.com/mydata.php?mydata=hello recive answer . i want dont allow users to get answer of http request directly , and just can show it from ajax result of main page is it possible ?
You're asking how to prevent an ajax-only request from being accessed directly by copy-pasting the URL into the web browser; that is, only allowing the URL to be accessible via ajax on the main web page.
Well, there are a few things you can try:
Check the Referrer for the URL of the main page with $_SERVER['HTTP_REFERER']
Set a header in Javascript using xhr.setRequestHeader() and then ensure it's value by checking for $_SERVER['HTTP_X_....'] in PHP
Like Jay Bhatt recommended, check for the X_REQUESTED_WITH header, but be aware this might not always be set (see: X-Requested-With header not set in jquery ajaxForm plugin)
However, in any of these situations you should be aware that anyone who knows what they are doing can easily set any HTTP header, variable, or even modify the referrer which is sent to the server. As such, there is no 100% guarantee that your resouce can be accessed only via AJAX on the main web page. There is no control built in the internet to verify where a request is coming from, so anyone can easily spoof or fake it.
Related
Is it possible to include some message in a PHP header:
header("Location: http://somesite.com");
header("Message: hello");
then on site.com:
$message = some_function(); // "hello"
I am currently using a $_GET parameter in the URL, but looking for an alternative, maybe sending a $_POST?
I'm trying to not use $_GET, or use cookies (I know, those are the best ways..)
It sounds like you are wanting to send some extra data to the page you are redirecting to. No, this isn't possible outside of the query string. You should understand what is happening here.
When you send a 302 or 301 status code along with a Location: header, the browser sees this and then makes a separate request to the URL specified by the Location: header. The server isn't sending anything to that page. It's almost as if the user simply typed in that new URL in their browser.
I say almost because in some circumstances, there is a referrer set by the browser. This isn't guaranteed though.
What you can do is send some sort of token that contains more information. Perhaps your page saves off a message in a database or something, and then you pass the ID in the query string of the URL you're redirecting to.
Also, if you set session/cookie data and you're redirecting to something on the same domain, you can read that information on the page the user eventually lands on.
In addition to what Brad suggested, you can also send some info using # in the url without affecting the query string and then capture it with js.
header("Location: http://somesite.com#success");
in js:
if(window.location.href.indexOf('#success')>0) {
alert("operation successfully completed");
}
I have a massive of scripts that my core application
include('JS/gramp.php');
include('JS/est.php');
include('JS/curest.php');
include('JS/memomarker.php');
include('JS/local----------.php');
include('JS/poirel.php');
include('JS/maplayers.php');
include('JS/trafficinc.php');
include('JS/plannedtraffic.php');
include('JS/transportissues.php');
include('JS/cams_traff.php');
include('JS/places2.php');
Now these are all being moved to a on the fly loading, to reduce the size of the application on load
if(button_case_curtime==true){
$(".jsstm").load("<?php echo $core_dir; ?>JS/curresttime.php?la=<?php echo $caseset['iplat']; ?>&lo=<?php echo $caseset['iplong']; ?>&h=<?php echo $days_h; ?>");
rendermap = true;
}
issue! the application requires these files to be secure, the data involved requires that no one can access.
The ONLY file that will ever request these files will be index.php
Any input or idears would be fantastic!
There is no way to provide a file to the browser without also providing it to a user.
You could configure your server to only supply the files given an extra HTTP header (which you could add with JS), but nothing would stop people from sending that header manually or just digging the source out of the browser's debugging tools.
Any user you give the files to will have access to the files. If you want to limit which users have access to them, then you have to use auth/authz (which you'll want to apply to the index.php file as well so that unauthorised users don't just get JS errors or silent failure states).
No. What you are trying to do is not possible. Ajax requests are not special. They are just HTTP requests. End points created for Ajax should be secured with authentication/authorization just like any other HTTP request end point.
This is a trivial solution that will solve your problem half-way. Request them via a POST request, like so:
$.post('JS/maplayers.php', {'ajax':true}, function(){});
Notice the POST variable 'ajax'. In the file maplayers.php, add to the beginning the following code:
if((!isset($_POST['ajax']))) {
die('Invalid request, only ajax requests are permitted');
}
i would like to use HTTP_REFERER to send my own referer.
Like this http://mywebsite.com/spoof.php?newurl=anotherwebsite.com
this is what i have but doesn't work
spoof.php
<?php
$referer = (www.website.com, $_SERVER['HTTP_REFERER']);
?>
You want to send people to another url with a spoofed referer?
thats not possible.
The referrer is controlled by the client (ie. their browser).
http://en.wikipedia.org/wiki/HTTP_referrer
They send it to the new URL when you redirect them.
You can make a request with that PHP file using the spoofed header with cURL, but you can not send the client there.
Best you can do is echo a link with rel="noreferrer" and hope the user's browser supports it (and this only nulls the referrer, it doesn't change it). Or alternatively send the Location header which will turn the referrer to your site.
You can't override the referrer header that the user's browser sends. If you want to control the referrer header like that, then your only option is to send the request yourself, by doing either:
Have your server act as a proxy for the request. Construct a new HTTP request server-side, set the referrer header to whatever you want, and return the result to the client. Note that you will have to rewrite any relative URL's in the target site's markup if you want the page to display and function correctly for the user.
Create your own browser (or perhaps browser-plugin) and get people to use that. Then you can set headers however you want.
I'm using some PHP pages do some AJAX stuff but I don't want them to be directly accessible. Facebook does a similar thing so for example: domain.com/ajax/my_ajax_form.php
If I was to load that page using AJAX it would work fine, but if a user were to try and loading the file directly by typing in that url it would do through an error so e.g.
if( IS FILE LOADED DIRECT? )
{
header ( HTTP/1.0 404 );
}
This isn't possible. You cannot rely on $_SERVER['HTTP_X_REQUESTED_WITH'], and even if you could, it doesn't matter. Anyone can send the same request to your server that your browser does, via POST or GET.
What you should do is validate the request, and return the proper result if it is valid. If it is invalid, do not return a 404. (Browsers can cache errors like 404. If your client-side code had a trouble, subsequent requests may fail!) If the request is invalid, return an error of some sort.
Again, it is impossible to secure stuff like this. You should be validating the session and request data. That's all.
You can look for the HTTP_X_REQUESTED_WITH header.
$is_ajax = array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER)
&& $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest';
if (! $is_ajax) {
die('go away.');
}
Note, though, that it's not standard, but needs to be set explicitly on the requesting side. AFAIK, at least jQuery and Mootools set it though, probably most others as well, but don't take my word for it.
Simplest way is to only access that page via POST, and not via GET. Though keep in mind - if a browser can do it - then a hacker can too.
You have to use session variables, or more generally, cookies.
With cookies: (set in JavaScript)
JavaScript: Set token in cookie
JavaScript: Make XMLHttpRequest
Server side: Check token from cookie
Server side: Return JSON output or error message
Please note that this is no way secure! This just prevents easy linking.
With session variables: (cookies set in server side)
Server side: Authenticate user, set privileges
JavaScript: Make XMLHttpRequest
Server side: Check privileges
Server side: Return JSON output or error message
This method is as secure as the user authentication is.
I want to post to an external php file and get the result. It a php that i have hosted in my server online. I want the static page in my localhost post by ajax and load the html in a div. But I'm not able to do this.
$.post("http://www.site.com/index.php", { font: "panchami", input: "hi" } );
Is there anything wrong in this?
The Same Origin Policy prevents Ajax calls to external domains.
Popular workarounds include
JSONP
Embedding the data in an iframe instead
Using a server-side proxy the does the fetching (see #BrunoLM's answer for a PHP example; it is possible in any server-side language)
YUI's Get as shown in #Alex's answer
depending on what your use case is.
Javascript doesn't allow cross domain requests.
What you can do is a PHP file on your server that reads the contents of the other site:
<?php echo file_get_contents($_REQUEST['url']); ?>
Then make requests to your file, like so:
$.post("proxy.php?url=external_url", ...);
Or using GET, for example:
http://developer.yahoo.com/yui/get/
This kind of request is dangerous, it is called a Cross-Site request and is forbidden by most browsers. If you look in your error console you should see a message to that effect.
If you really have no alternative then you can consider using iframes, the src attribute can be outside the current domain and you can parse the information using javascript.
Hope that helps :)