Is there a way to make sure PHP is being loaded only by JS?

Question

Is there a way to make a PHP file so that it can only be loaded and executed by the Javascript code that I write? Ie can I make sure that someone can't read my JS, load up the PHP page in their browser with their own variables, and make unauthorized changes to my database? Any help much appreciated.

Answer 1

No.

You can check if $_SERVER['HTTP_X_REQUESTED_WITH'] is set and equals "XMLHttpRequest", but this is just an HTTP header that can be faked.

Javascript just makes standard HTTP requests which can be reproduced in any number of ways. HTTP is a very simple protocol that does not offer the possibility to distinguish between clients in any reliable way. Identical requests are identical. You need to build your user identification and authorization scheme yourself on top of HTTP, it's not part of the protocol. The server needs to decide and enforce what is authorized and what isn't based on rules (that you establish), not on who asked.

Answer 2

Is there a way to make a PHP file so that it can only be loaded and executed by the Javascript code that I write?

Not reliably, no. Any request can be forged on client side. This method is not acceptable to establish security. You will have to use some kind of authentication on server side.

Answer 3

No. It is simple to write a 10 line program in eg Python, to spoof any useragent. You can not ever trust anything that any user sends you ever under any circumstances.

Doing so will bring shame on your entire family, all of your ancestors and cause your descendents to be forever stigmatized as the offspring of "that guy".

Answer 4

Maybe you can check the request header sent by Javascript. AJAX calls should send this line:

X-Requested-With: XMLHttpRequest