I have hosted a site, the documents suggest to put files under folder public_html.
I have three files index.php(view page), common.js, and result.php(php) in root folder. On clicking a button in index.php(view) file will trigger an ajax function to result.php.
The problem is everyone can access the result.php directly…
I trying to make folder structure, that all php files(result.php) are in folder behind root. So it will not accessed directly from browser using rewrite rule or anything else.
Please help me to solve this issue…
To make a file only acccessible via ajax you can use:
It returns true or false. Basically if it returns true then let the user carry on otherwise stop them.
Word of caution: Not all JS libraries/frameworks actually set this header but most do (JQuery, Mootools etc) and not all versions so make sure you have the latest version of a library/framework before you use this.
Plus if the user spoofs your headers then there is no real way to stop them.
I tend to use this as a precursor for stopping AJAX pages from being visible publicly. I also use parameter integrity checking and a random hash stored in session (CSRF type thing) to check if the user is legitamately accessing an AJAX page.