Allow PHP file to be requested by javascript but not directly from browser

Question

I'm using a jquery script that uploads files with ajax and PHP. It sends a request to upload_a_file.php which then uploads files.

Is there a way that I can make sure upload_a_file.php is not loaded directly in a browser?

I tried putting upload_a_file.php above my public_html folder. But can't seem to get javascript to load upload_a_file.php.

Here is the url format I use in the javascript to request upload_a_file.php:

../upload_a_file.php

Is it even possible to access files above public_html with javascript?

Answer 1

JS cannot access anything on a server that you yourself as a user cannot. If a file is outside of the site's document root, it is NOT accessible by a user, or by JS. Imagine the fun place the web would be if JS could magically bypass access restrictions on a server and grab any more. "Aww, I was going to grab this bank's accounts list, but it's not in the document root. Good thing I've got Javascript, it can do everything!"

It'd be like every episode of 24 , where "patching into the subnet" can magically bypass any firewall and get data from machines which aren't even online or (better yet) not even powered up. Amazing things, those subnets.

Answer 2

You can check the HTTP header X_REQUESTED_WITH is present and has a value of XMLHttpRequest . This is not non-standard header but most JavaScript frameworks, including jQuery, Prototype, and mootools follow this convention.

In PHP you can access it $_SERVER['HTTP_X_REQUESTED_WITH'];

for example:

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')
{
 // do something   
}

Answer 3

Since direct browser access to a page is a GET request by PHP, here is a very basic access control method to keep someone from inadvertently going directly to upload_a_file.php:

In your jquery script, use an ajax request with type "POST":

$.ajax({
    url:      "../upload_a_file.php",
    dataType: "json",
    type:     "POST"
});

and use this in your upload_a_file.php:

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    // upload a file
} else {
    header("Location: http://example.com/myPublicUploadPage.php");
    die();
}

Answer 4

The javascript is running in the browser. It makes its requests through the browser. So, No, there's no way to access a page through ajax but not directly from the browser.

Answer 5

No, not directly. You can call other script (PHP or whatever) that will either "call" your script with include or eg with fopen or curl .

Answer 6

Nothing can access files above public_html, because the web server will not serve them. Doing so would have obvious security vulnerabilities, like being able to view any file on your filesystem.

If you want to restrict the file to only being able to be loaded via your javascript, I would think you'd want to look at the $_SERVER['HTTP_REFERER'] variable in php. This should be set to the page the javascript is located on when it is being accessed properly. If it is anything else or empty, the user is accessing it in some other manner.

Using this method shouldn't be relied on for security however, because the referer can be spoofed with the right tools.