You should check out "Preventing Unwanted Access to Your API"[1] at the Zend Developer Zone[2]. For a more general overview, you should check out "Cross-Site Request Forgeries"[3] by Chris Shiflett.
Another thing you could do is check for an "X-Requested-With" header $_SERVER['X-Requested-With'] == 'XMLHttpRequest'; And bail out if it's not there or isn't equal to "XMLHttpRequest". This will prevent your scripts from being loaded via the browser's address bar, but keep in mind that someone could still fake the HTTP headers, so this is best done in combination with the other methods I mention. [1] http://feeds.feedburner.com/~r/ZendDeveloperZone/~3/81373192/1616 [2] http://devzone.zend.com [3] http://shiflett.org/articles/cross-site-request-forgeries On 2/5/07, Arne-Kolja Bachstein <[EMAIL PROTECTED]> wrote:
Hi there, do you have any ideas how I could secure my php files against direct calls of the functions an ajax script calls? For example if I let my AJAX script send a request to foo.php and foo.php returns a line of code the AJAX script usually writes onto my site, how can I avoid that these calls are submitted from outside/other sites can read these calls results. Greets, Arne _______________________________________________ jQuery mailing list discuss@jquery.com http://jquery.com/discuss/
-- Aaron Heimlich Web Developer [EMAIL PROTECTED] http://aheimlich.freepgs.com
_______________________________________________ jQuery mailing list discuss@jquery.com http://jquery.com/discuss/
