Block direct access to PHP file except from AJAX request?

Question

I wish to have a webpage that uses AJAX to access a PHP file in ./ajax/file.ajax.php

Trouble is, I don\'t want people to be able to type the address in

Answer 1

If you're using jQuery to make the XHR, it will set a custom header X-Requested-With. You can check for that and determine how to serve your response.

$isXhr = isset($_SERVER["HTTP_X_REQUESTED_WITH"])
         AND strotlower($_SERVER["HTTP_X_REQUESTED_WITH"]) == "xmlhttprequest";

However, this is trivial to spoof. In the past, I've used this to decide whether to render a whole page (if not set) or a page fragment (if set, to be injected into current page).

Answer 2

If you're not using jQuery or you are not interested/you can't use custom headers (to go with what alex has offered), you may just simple POST some data with your Ajax request, and in that specific file check if that data has sent or not. If you send by GET it would be visible on the address bar, that's why I suggest POST.

<?php

if (empty($_POST['valid_ajax']))
    header('Location: /');

?>

It's not solid as you can fool that with providing handmade data, however that's better than nothing if your problem is not that critical.