禁止直接访问PHP文件

Question

I have an html form which when it gets submitted it calls a JavaScript function which by using Ajax gets information from a PHP file using post and displays it back to the page.

The question is, is it possible to make the PHP file only accessible when using the above method instead of users being able to access it directly if they go through the JS method and find it's location?

Edit: Adding a bit more information to help people out. Ajax is calling an external php file in order to update the contents of the website based on what the php file returns. Since all the Ajax calls are made in the JavaScript someone can easily find out the location and the arguments the function is using and basically call the php file directly, which is what I'm trying to avoid.

Using PHP sessions is a bit hard in this case, since I'm using Ajax I can't destroy the session once the external PHP file is done since if I do the session never renews because I'm using Ajax to update the content of the website without refreshing it.

Answer 1

I agree with limscoder.

Here is how I use tokens on submitting forms.

1) initialize it and save it on server (when the page is loaded on the client side)

$token = $_SESSION['token'] = md5(uniqid(mt_rand(),true));

2) add it to the form

<input type="hidden" name="token" value="<?php echo $token;?>" />

3) when submitted I check the token using

if(isset($_SESSION['token'], $_POST['token']) && $_SESSION['token'] == $_POST['token'])
{
//code goes here
}

Answer 2

It sounds like you're describing a type of cross site request forgery . The normal way of preventing this is by including a server generated token as a form value, and then validating it against a value stored in the user's session when the form is submitted. Check out the link for instructions on how to properly generate and validate the token.

Answer 3

You can test what page called your script by checking the HTTP_REFERER (http://php.net/manual/en/reserved.variables.server.php)

BUT...it can be spoofed, so will only discourage casual attempts at getting to your data

Answer 4

Is the html page secured? If anyone can just access the html page to call your ajax page, why bother to spend time trying to secure it. :)

However if you really need to do so, you might need to convert the html page to a php page so that you can generate a token to be placed in the form. A good token would be the sha of a secret string appended with the year, month, day and hour. When the token is sent back, use the same way to generate a test token and compare the two. This makes the token valid only for 1 hour. Of cause, in the ajax, you might need to test against last hour's token, in case the user got the form at the last minute of the hour and submits after the hour.

Edit--- If your main concern are bots then just use a captcha test.