3

In simplest terms, I utilize external PHP scripts throughout my client's website for various purposes such as getting search results, updating content, etc.

I keep these scripts in a directory:

www.domain.com/scripts/scriptname01.php
www.domain.com/scripts/scriptname02.php
www.domain.com/scripts/scriptname03.php

etc..

I usually execute them using jQuery AJAX calls.

What I'm trying to do is find is a piece of code that will detect (from within) whether these scripts are being executed from a file via AJAX or MANUALLY via URL by the user.

IS THIS POSSIBLE??

I've have searched absolutely everywhere and tried various methods to do with the $_SERVER[] array but still no success.

casperOne
  • 73,706
  • 19
  • 184
  • 253
Albert Rannetsperger
  • 794
  • 2
  • 9
  • 19
  • 1
    When you say URL and user, do you mean a typical user whose skills do not go beyond experimenting with the browser address bar or do you mean a user who understands a little more about what HTTP is and how to use it? – Lee Kowalkowski Sep 04 '11 at 21:04

3 Answers3

3

What I'm trying to do is find is a piece of code that will detect (from within) whether these scripts are being executed from a file via AJAX or MANUALLY via URL by the user.

IS THIS POSSIBLE??

No, not with 100% reliability. There's nothing you can do to stop the client from simulating an Ajax call.

There are some headers you can test for, though, namely X-Requested-With. They would prevent an unsophisticated user from calling your Ajax URLs directly. See Detect Ajax calling URL

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • thanks for ur help, i thought as much (not being 100% reliable). it's not a major issue with security as i've already bomb-proofed my scripts against mysql injection, etc. but any additional ways to deter hackers is always useful. – Albert Rannetsperger Sep 04 '11 at 21:59
2

Most AJAX frameworks will send an X-Requested-With: header. Assuming you are running on Apache, you can use the apache_request_headers() function to retrieve the headers and check for it/parse it.

Even so, there is nothing preventing someone from manually setting this header - there is no real 100% foolproof way to detect this, but checking for this header is probably about as close as you will get.

Depending on what you need to protect and why, you might consider requiring some form of authentication, and/or using a unique hash/PHP sessions, but this can still be reverse engineered by anyone who knows a bit about Javascript.

As an idea of things that you can verify, if you verify all of these before servicing you request it will afford a degree of certainty (although not much, none if someone is deliberately trying to cirumvent your system):

  • Store unique hash in a session value, and require it to be sent back to you by the AJAX call (in a cookie or a request parameter) so can compare them at the server side to verify that they match
  • Check the X-Requested-With: header is set and the value is sensible
  • Check that the User-Agent: header is the same as the one that started the session

The more things you check, the more chance an attacker will get bored and give up before they get it right. Equally, the longer/more system resources it will take to service each request...

DaveRandom
  • 87,921
  • 11
  • 154
  • 174
1

There is no 100% reliable way to prevent a user, if he knows the address of your request, from invoking your script.

This is why you have to authenticate every request to your script. If your script is only to be called by authenticated users, check for the authentication again in your script. Treat it as you will treat incoming user input - validate and sanitize everything.

On Edit: The same could be said for any script which the user can access through the URL. For example, consider profile.php?userid=3

Extrakun
  • 19,057
  • 21
  • 82
  • 129