Reputation: 273
Verifying XMLHttpRequest in php
I am sending data to a PHP site using the following code:
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp= new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp= new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.open("GET","addEmail.php?email="+escape(email),true);
xmlhttp.send();
xmlhttp.close;
Is there any way of making sure that the addEmail.php is being run through the XMLHttpRequest so people cant simply go to www.domain.com/[email protected] to make the php site eat their email and run a thousand requests on the page? Thanks in advance
Upvotes: 5
Views: 12504
Answers (3)
Reputation: 432
The users is always able to access the php script directly, but you can protect is a bit more by adding this check to the php script:
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest')
{
//CODE HERE
}
Additionally, like Eugen Rieck mentioned, you could send a token.
Upvotes: 21
Reputation: 65314
The standard way to do this, is to send some sort of (time dependent) token with the page that contains the AJAX code, then send the token together with the AJAX call. Users who directly use the AJAX URL will not know the current token value.
Upvotes: 1
Reputation: 887887
That is fundamentally impossible.
You need to limit the number of requests per IP address on the server.
Upvotes: 2
Related Questions
- How to receive XMLHttpRequest with PHP?
- XMLHttpRequest Open and Send: How to tell if it worked
- PHP XMLHttpRequest
- Use xmlhttprequest to get php file
- XMLHTTP Connection
- Integrity check of posted data with XmlHttpRequest?
- Comparing a XMLHTTP request with a string? Setting up a callback
- How to emulate XMLHttpRequest client using PHP?
- xmlhttprequest and php
- PHP cURL with XmlHttpRequest