Home/ Questions/Q 8303101
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T17:26:39+00:00

First of all, this is my first post in Stack Overflow and I’m trying

  • 0

First of all, this is my first post in Stack Overflow and I’m trying to learn PHP/MySql for a personal project that I’m working on. I think I will be spending alot of time on here to ask heaps of questions, so forgive me if I ask too many questions that you may find trivial.

On with the question.

I’m using a combination of ajax and PHP to process server side scripts. What I want to do is have a PHP module that will accept input, process something, and provide output. Much like a function.

What I’m trying to wrap my head around is how can I make PHP like a black box process module, like a function, rather than a page.

As an example, I have a login.html page which uses AJAX to send request to a login.php page. The login.php accepts the input, process the input, and output a json object which tells the calling page if it is successful, and if not will list the errors that it encountered along the way.

Here lies the issue. I don’t want user to be able to go to login.php directly. In fact, I don’t even want login.php to be visible to the public. The login.php is only a process, so if you go to it, it will be blank. This doesn’t seem like a good practice to let users see a blank page.

I thought about putting the login.php outside the public folder, but this would mean that ajax won’t be able to make a request to it either.

To get around this I have the login.html sit within the login.php. It will make a request to itself, then based on the type of request, the php will perform different things. This will resolve the “blank page” issue. But I can’t help wonder if there is a way to make a standalone PHP module without having to make it work like a page also.

Any thoughts into this will be much appreciated. Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If an AJAX can request the page, then any user will be able to navigate to the page with their browser. You really shouldn’t be concerned with this, because unless they snoop around they won’t happen upon the PHP page. If you want a little bit of verification that the request was made by AJAX you can look for the X-Requested-With header, but this doesn’t always work because every browser doesn’t send this:

    if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
    // Ajax Request
} else {
    // Not AJAX, redirect to login page
    header('Location: login.html');
    exit();
}

    To make this work reliably on every browser, you’ll need to set this header on the clientside:

    xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");

    However this is still not fullproof because anyone can send a header with a program like Tamperdata, but this should be good enough to prevent the lazy snoop. Again though, allowing users to see this page (if they snoop) won’t be a huge problem. It’s not going to create a security vulnerability and on the off chance that a user stumbles upon the login.php page, they’ll be redirected back to login.html.

    • 0