Javascript .load doesn't see PHP's variables

Question

I'm using the following script to load content on the page without refreshing it. The pages that I load this way should not be accessible as stand alone pages.

 <script>
    $(".toLoad").click( function(event)
    {
        event.preventDefault();
        $("#page-wrapper").load($(this).attr("href"));
    });
</script>

I have this in my index.php

define('SECURE', true);

and this in the other files

!defined('SECURE') and exit("Not allowed");

This system works very well with PHP's include or require functions but it blocks me from loading the pages from my index.php using the given javascript. What's the workaround or how could I restrict the direct access but allow it trough javascript on my main page?

Thanks!

Answer 1

You cannot send your secure variable from index page to next page and session should not be used for this purpose as it will allow direct access as session always enable on request of index page. But you can check request is xmlhttp (ajax) request or not from server with following function as load() function request with HTTP_X_REQUESTED_WITH header with 'xmlhttprequest'.

 function isAjax(){
   return isset($_SERVER['HTTP_X_REQUESTED_WITH']) && !empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest';
 }
 if(!isAjax())
  {
    echo "no direct access"; exit(0);
  }

Answer 2

Make a php-proxy thingy.. Then you .load('jsproxy.php?url=' + $(this).attr('href'));

I don't know php very much, but you should just define secure, and include the page in the url...

Answer 3

define declares a constant, which is accessible during the script operation (only to php which means only on server).

1. It is not a variable
2. It does not persist between page loads (so when You hit another php file, this is not defined).

As for disallowing hotlinking - You can check HTTP Referer for instance, but it can be fooled.