I have a function that is called from 3 different pages. In each page I am adding an attr to one div.
For example:
<div id="posts" page="home"></div>
<div id="posts" page="feed"></div>
<div id="posts" page="search"></div>
In the Java Script I then get the value of page and then I pass it to the PHP file in which I have an if, elseif and else statemants.
To be more secure I thought it would be good if in the PHP file that the AJAX loads to get the url from which the script is called, because simple using google debugging tool someone can change the attr.
<?php
if($page =='home' && $sourceUrl == 'the home url' )
{
// do this
}
elseif($page =='feed' && $sourceUrl == 'the feed url')
{
// do this
}
elseif($page =='search' && $sourceUrl == 'the search url')
{
// do this
}
else
{
exit();
}
?>
Uhm, well, you can use javascript to get the current page adress and send to your PHP file, you can also use PHP but that will only get you the adress of your PHP script.
Anyway you do this with javascript will not be secure at all, the right way to do this is not to worry about what is sent to the server, as the serverside script validates all input from the user, and not the other way around!
Just check for certain values in your PHP script, if something else is received, terminate the Ajax call, that’s the simple and safe (atleast somewhat) solution.
To avoid XSS you can generate a random string that is inserted in the HTML on every page load from PHP, and must of course be random. Send that string with every ajax call to avoid someone sending ajax calls to your script from somewhere else.