-1

I have an AJAX form on index.php that processes via order.php.

How can I ensure that order.php is being accessed through the AJAX form prior to processing so I can ignore direct access requests to order.php?

I tried using a Session variable and making sure the session variable set in index.php is set before processing order.php, but if someone goes to index.php first and then goes to order.php directly, it will still process order.php even though it wasn't via the AJAX form.

ProgrammerGirl
  • 3,157
  • 7
  • 45
  • 82
  • 1
    You really can't. Nor should you care. They're all web requests. Rather than verifying the request originated how you expect it to, you need to verify it gives you the data you expect. – Taplar Apr 17 '19 at 16:08
  • @Taplar: The problem is precisely with our data verification which throws an exception if the form is empty, so I am getting bombarded with e-mail alerts about this exception when crawlers and such access the order.php page directly. – ProgrammerGirl Apr 17 '19 at 16:33

1 Answers1

2
if (isset(($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') && $_SERVER['HTTP_X_REQUESTED_WITH']))
{
  // Code that will run if this file called via AJAX request
} 
else 
{
  // Code that will run when accessing this file directly
}
Rory McCrossan
  • 331,213
  • 40
  • 305
  • 339
svikramjeet
  • 1,779
  • 13
  • 27
  • This isn't exactly a workable solution. It's trivial to add a header to the request to fake this information. – Rory McCrossan Apr 17 '19 at 16:14
  • @RoryMcCrossan: It may not be perfect, but it's precisely what I was looking for. It's good enough for real-world use to avoid crawlers and such from processing the order.php page directly. If someone is really bothered to fake their headers just to process our order.php page, then they can have fun with that. – ProgrammerGirl Apr 17 '19 at 16:31