If you throw .htaccess deny from all into the folder with the clues, then JS , also can not pull it from there. How to organize protection?

More precisely, how to protect those files that are invoked via an AJAX request. So that through the site it was possible to call the page and directly give out that error or redirect to put ..

  • one
    And what is this JS you pull from there php-shny included? Spread into folders what the client (JS) and server (.php) need is difficult? - Ali
  • They pull pages for AJAX but I do not want them to be addressed directly. - Ruslan Librovsky
  • Contact through the script. Let it only initialize the variables you need (for example, to protect scripts as in Joomla), and then pull up the requested file. - ling

3 answers 3

Rights to files called by AJAX, put 644

  • 3
    Alternatively, you can send a variable (test) with ajax request, no matter what, and in the request handler file, do so: if (!isset($_POST['test'])) exit(); - DemoS
  • one
    But this option is very good! - Ruslan Librovsky
  • 3
    Well then, "Accept the answer!" and be healthy! %) - DemoS
  • one
    Yes, perfect. if he himself didn’t make it possible, if it is possible, through defined, to protect the inclodes, then here it is similar. Credit! - Ruslan Librovsky
  • 2
    Here you go. And the man is now sure that he is reliably protected. As if you can not fake a post request. - Ali

When calling an include file, first check DEFINE. For example, make an AJAX request to the file index.php, and in index.php, define a variable.

index.php

 <?php define ('DEFTEST', true); .... ?> 

Check files with DEFTEST:

 <?php if (!defined("DEFTEST")) die("Access denied!"); .... ?> 
  • No, it does not channel for AJAX. for simple inclusions it works if ajax is called through die - Ruslan Librovsky

You can include everything in a separate directory and throw in it. Htaccess (deny from all). And to use them via Ajax, create a separate router at the root (ajax.php), which itself will send and receive data from the handlers in the include.

  • And here it turns out obrobotchik ajax.php will receive POST bottom and depending on them include the necessary files. If I understand correctly, then you can also fake a POST request. - Ruslan Librovsky September
  • Your question is "How to protect the include file from a direct call?" - this action is fully executed. > you can also fake a POST request. You can fake it in a normal call! Everything needs to be checked for correctness, in our case either in the router or in the include files. - tyz
  • Well, so for this and ask! I would be very grateful to see an example or read if throw off the link. - Ruslan Librovsky September
  • Data for correctness is checked simply: Most often it is either numeric or text. numeric - cutting out all that is not a number, if previously known numbers are transmitted, then check and an error if the number is not that. string - cutting tags and any other characters you do not need. Also check the address from which the request was sent. - tyz