How to make sure a human doesn't view the results from a PHP script URL?

Question

How to make sure a human doesn't view the results from a PHP script URL?

Recently when viewing the source of a site that was making an AJAX call, I tried to follow the link in the browser

www.site.com/script.php?query=value

Instead of getting the result I expected to see, I saw a message stating only scripts should view that page.

How do you restrict a script to only allowing a script to access it?

UPDATE:

here is the page DEMO page

Answer 1

A lot of open source applications use a variation of this on top of every php file:

if (!defined('SOMETHING')) {
    die('only scripts have direct access');
}

Then in index.php they define SOMETHING:

define("SOMETHING", "access granted.");

edit: I'm not saying this is a good approach btw

edit2: Seems I missed the part about it being an ajax request. I agree in this case this isn't a solution.

Answer 2

As Tim stated, this script is almost certainly looking for this request header, which is being sent with each request to rpc.php (found via the net panel in firebug, naturally):

X-Requested-With    : XMLHttpRequest

As to cross-browser compatibility, the setRequestHeader method appears to be available with both the activex and xmlhttprequest connections so this should work in all major modern browsers.

Answer 3

You could set a secret value into the php session with the 'view' script and check for it with the ajax scripts.

• Request 'index.php' with the browser.
• PHP builds the page, saves a key into the session, sends the content back to the browser.
• The browser gets the page content and makes some ajax request to your site.
• Those ajax scripts also have access to the same session your main page did, which allows you to check for a key.

This insures only authenticated browsers are allow to make the ajax requests.

Don't count on the ajax request being able to write to the session though. With many requests being satisfied at the same time, the last one in will be the last one written back to your session storage.

http://us.php.net/manual/en/book.session.php

Answer 4

with php you can check for and only display results if the page is called via ajax

function isAjax() {
    return (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'));
}

if(isAjax()) {
    // display content
} else {
    // not ajax, dont show
    echo 'Invalid Request';
}

Answer 5

One possible solution is to check the HTTP Request for it's origin. Another solution is to send a "password" with every request. Take a look into this tutorial how to do this.

But it's never 100% secure, it only makes it harder for possible intruders.

Answer 6

If you are calling the script by AJAX, then it MUST be accessible for you because an AJAX call is similar to your browser actually asking for the page, thus it is not only script accessible but accessible to anyone.

If it was actually called by PHP or by some other means, you could "maybe" use Apache rules or PHP scripting to diminish the accessibility.

Answer 7

You can't. A human being can always spoof the request. You can send your request with a post variable, to make sure a human doesn't end up on the page by accident.

Answer 8

Short answer: you can't.

Long answer: You can make it harder to do it by requiring special header values in the HTTP request (setting Accept to application/json is a common one). On the server side just check to make sure that header is set to the value you expect. This will make it so that regular users will get the message you mention and your scripts will work just fine. Of course advanced users will be able to easily work around that sort of limitation so don't rely on it for security.