prevent直接访问文件称为AJAX功能 [英] Prevent Direct Access To File Called By ajax Function

问题描述

我打电话从阿贾克斯PHP的code是这样的：

I'm calling the php code from ajax like this:

ajaxRequest.open("GET", "func.php" + queryString, true);

由于这是一个GET请求任何人都可以通过简单地检查头看看吧。数据被传递是不敏感的，但它有可能被滥用，因为它也是微不足道获取参数名称

Since it's a get request anyone can see it by simply examining the headers. The data being passed is not sensitive, but it could potentially be abused since it is also trivial to get the parameter names.

我如何prevent直接访问 HTTP：//mysite/func.php 还让我的AJAX页面访问它？

How do I prevent direct access to http://mysite/func.php yet allow my ajax page access to it?

此外，我已经试过了解决方案<一href="http://stackoverflow.com/questions/409496/$p$pvent-direct-access-to-a-php-include-file/409515#409515">posted这里但它并没有为我工作 - 总是得到直接访问不是premitted的消息

Also I have tried the solution posted here but its doesn't work for me - always get the 'Direct access not premitted' message.

推荐答案

大多数Ajax请求/框架应设置您可以用它来过滤阿贾克斯v非Ajax请求这个特殊的头。我用它来帮助确定在很多项目响应类型（JSON / HTML）：

Most Ajax requests/frameworks should set this particular header that you can use to filter Ajax v Non-ajax requests. I use this to help determine response type (json/html) in plenty of projects:

if( isset( $_SERVER['HTTP_X_REQUESTED_WITH'] ) && ( $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' ) )
{
	// allow access....
} else {
	// ignore....
}

编辑： 您可以在自己的Ajax请求在您的JavaScript code以下添加此自己：

edit: You can add this yourself in your own Ajax requests with the following in your javascript code:

var xhrobj = new XMLHttpRequest();
xhrobj.setRequestHeader("X-Requested-With", "XMLHttpRequest");

这篇关于prevent直接访问文件称为AJAX功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！