In the past when I have written HTML with jQuery, in order to access specific PHP pages I have simply always done this:
user.php?Action=1&User=Adrian.....
And this would return plain text JSON, which jQuery converts into a javascript object. I have a few questions regarding this method, though.
- Is this safe? JSON is being passed back in plain text. Should it be used over HTTPS?
- How is the best way to prevent direct access to PHP? Simply checking for an active session?
- Is this whole approach ok?
Cheers,
Adrian
For number 2, it depends what you’re doing.
If you are doing anything with the ‘user.php’ file to make any changes to the DB, you would want to use POST rather than GET (this hides the parameters from the URL bar, and is safe if your page is getting crawled/scraped).
To use POST, in your user.php file replace instances of
$_GETwith$_POST.In your jQuery Ajax call, make sure parameter “type” is set to “POST”
type: "POST",GET requests should only ever be for doing anything that gets and displays data from your data model (DB, whatever). POST requests are for making any updates, additions (stricter would be PUT), or deletions (DELETE).
If you want only that specific user to access the user.php script, then you would want check the user’s session and make sure it matches with the user trying to access the particular user parameter.