Prevent user to see directly PHP url in Javascript

Question

I want to prevent user to see directly PHP URL in Javascript. Example :

{
$.ajax(
{
    type: "POST",
    url: "search.php",
    data: dataString,
    cache: false,
    success: function(html)
    {
        $("#display").html(html).show();
    }
});
}return false;

Is it possible or any way to prevent user see the php URL when He/She view the source of my page ? Sometimes user maybe try to open the php url directly.

Thanks for helps.

Answer 1

Ok to make things clear..

1. Once its on the client-side(the browser) you can't hide it. Users can still download or view source the client-side return.
2. Obfuscating is not really needed because you just make things complicated and not protecting anything.
3. But anything that is server-side code(PHP) will not be shown as it is processed by the server-side and the server just return the results of execution of the server-side code.

well in case of your problem the thing you can do is to check whether the $_POST and $_GET parameters are valid upon reaching your PHP codes thus making every POST and GET request valid and safe. its somewhat like this

<?php
  if(isset($_POST['username']) && isset($_POST['password'])){
    //everything seems fine
    echo 'ok';
  }
  else{
  //someone is doing a direct acess
     header('index.php');
  }
?>

or check the sessions to protect your pages only for logged-in users

  <?php
      if(isset($_SESSION['userid'])){
        //everything seems fine
        echo 'ok';
      }
      else{
      //someone is doing a direct acess
         header('index.php');
      }
    ?>

Answer 2

As stated in comments,

How can We prevent the User open directly the PHP url ?

You should create a session of very long random string (token) in your php and pass it to the js ajax function, so that it sends the token along with the ajax request. On server side you can check if its the same token generated. You may want to expire the token soon.

I dont know, if its the standard way, but can provide you a start.

Answer 3

I (or any client) can still use any number of tools to figure it out (including the built-in debugger in 99% of the browsers built)--It's not worth obfuscating it.

If you're concerned about direct access, check for an AJAX request in your script. (Still hack-able, but it's a start). As also provided in a previous answer:

<?php

  $isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH'])
         && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
  if (!$isAjax) die('Unauthorized access');

  /* rest of search.php */