On Aug 6, 2010, at 9:41 AM, Marc Guay wrote: > Hi folks, > > I'm looking for a straightforward way to protect PHP files which are > called via AJAX from being called from outside my application. > Currently, someone could forseeably open the console and watch the > javascript post variables to a public file (actions/delete_thing.php) > and then use this knowledge to trash the place. I found this thread > at stackoverflow which seems to cover the issue I'm looking at, but > it's pretty intense and I figure there's an easier way but I'm not > sure how. > > http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website > > It seems unlikely that this is the method everyone uses, but maybe > not. Advice is nice. > Marc > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Marc-
The best way (and what I currently use) is to add a nonce style value to the form with a random name and then also add that to the session. $nonce = sha1(microtime(true)); $name = sha1(rand(0,10)); $_SESSION['nonce'] = array($name => $nonce); ?><input type="hidden" value="<?php echo $nonce; ?>" name="<?php echo $name; ?>" /><?php Then in the processing code check the nonce value to ensure (a) it exists, and (b) it matches the current session. You can also log all events in a table, filtering out user who make too many requests per minute / second / etc, depending on what you are using the AJAX bit for. Thanks, -Josh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
