0

I'm loading content of about.php page with jQuery AJAX to my index.php section like this:

$('.nav a[href="#about"]').on('click', function() {
  $('main').load('../../layout/about.php');
});

However in my about.php page I have this:

<?php

if( !defined('cute') ) {
 die();
}

?>

And index.php page this:

<?php

define('cute', TRUE);

?>

And while heading from index to about page, nothing loads. When I commenting out "php files' direct access block" code - about.php loads, however then I can access included PHP files directly.

Could you please help me to achieve direct access of included PHP files blocking and loading them by AJAX at the same time? Thank you!

fuji
  • 317
  • 2
  • 19
  • 1
    googled `php prevent direct access but allow ajax` and found some results, eg [Prevent Direct Access To File Called By ajax Function](https://stackoverflow.com/questions/1756591/prevent-direct-access-to-file-called-by-ajax-function) and this [Prevent direct access to a PHP page](https://stackoverflow.com/questions/185483/prevent-direct-access-to-a-php-page) – FirstOne Nov 20 '17 at 19:39
  • `defines` are limited to the page it was created on....use `COOKIE` or Session Variables. – Forbs Nov 20 '17 at 19:45

2 Answers2

0

It appears that you expect the PHP code from about.php to be inserted into index.php and then interpreted along with the main page's code. That's not what's happening. You're calling about.php, the server is running that file and returning the results (the HTML), and the HTML is being inserted into index.php.

So index.php is never seeing the define(), because about.php has already been processed; and index.php only sees the results of it.

Stephen R
  • 3,512
  • 1
  • 28
  • 45
  • Looks like so, because when i define CUTE in about.php - everything loads properly. So I'm going to use best answer from here [Prevent Direct Access To File Called By ajax Function](https://stackoverflow.com/questions/1756591/prevent-direct-access-to-file-called-by-ajax-function) even tho I don't know what is headers and it's spoofing :( – fuji Nov 20 '17 at 19:52
  • You could maybe set a Session variable in index.php, then call it (and unset it) in about.php – Stephen R Nov 20 '17 at 20:00
0

At first: index.php and about.php are different scripts. That mean: about.php know nothing about index.php (if you need you can use include or require)

But as I understand your question right - you need to catch difference between ajax request and request from browser. Try to set second parameter data to .load function

$('.nav a[href="#about"]').on('click', function() {
  $('main').load('../../layout/about.php', {request_type:"ajax"});
});

The clue is {request_type:"ajax"}. You can get it in your about.php via global post array:

if($_POST['request_type'] && $_POST['request_type'] === "ajax"){
   //do your stuff
}
Ruboss
  • 64
  • 1
  • 7
  • Is it better (more secure) than just covering code into: `if( isset( $_SERVER['HTTP_X_REQUESTED_WITH'] ) && ( $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' ) ) { DO STUFF } else { die() }` ? – fuji Nov 20 '17 at 20:00
  • headers can be spoofed – Stephen R Nov 20 '17 at 20:01
  • If you need more security - than prefer to use PHP SESSIONS (COOKIES) as @Forbs said. – Ruboss Nov 20 '17 at 20:04