How to Prevent Direct Access to Files Accessed via AJAX in PHP?

Preventing Direct Access to Files Accessed via AJAX

When accessing a PHP file through an AJAX request, such as "func.php", direct access to that file can be a security concern. To address this issue, it's crucial to implement a mechanism that differentiates between AJAX requests and direct access attempts.

One effective solution is to leverage the "HTTP_X_REQUESTED_WITH" server variable. Most AJAX frameworks set this header to "XMLHttpRequest", providing a way to distinguish between genuine AJAX requests and direct browser access. This header check can be implemented in the PHP file as follows:

if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')) {
    // Allow access...
} else {
    // Ignore or deny access...
}

By implementing this check, you can ensure that only legitimate AJAX requests can access the specified file, protecting it from unauthorized direct access.

Additionally, for enhanced security, you can manually set the "X-Requested-With" header in your AJAX request using the following JavaScript code:

var xhrobj = new XMLHttpRequest();
xhrobj.setRequestHeader("X-Requested-With", "XMLHttpRequest");

This step further strengthens the protection against direct file access.

The above is the detailed content of How to Prevent Direct Access to Files Accessed via AJAX in PHP?. For more information, please follow other related articles on the PHP Chinese website!