Asked  7 Months ago    Answers:  5   Viewed   43 times

I have an HTML document, which loads content from a PHP file using an AJAX call. The important bit of my code is below:

default.html :

/*more code above*/
var PHP_URL = "content.php";
var Content = document.getElementById('Content');
ajaxRequest = new XMLHttpRequest();
ajaxRequest.onreadystatechange =
    function() {
        if(ajaxRequest.readyState==4) {
            if (ajaxRequest.status==200)
                Content.innerHTML = ajaxRequest.responseText;
            else
                Content.innerHTML = "Error:<br/>unable to load page at <b>"+PHP_URL+"</b>";
            Content.className = "Content Solid";
        }
    }
ajaxRequest.open("GET",PHP_URL,true);
ajaxRequest.send();
/*more code below*/

Is it possible for the file at 'content.php' to detect that it has been called from 'default.html', or a different calling document as necessary?

 Answers

11

Most well-known Ajax frameworks like jQuery and mooTools add a specific header which you can check with PHP:

if (strcasecmp('XMLHttpRequest', $_SERVER['HTTP_X_REQUESTED_WITH']) === 0)
{
    // Ajax Request
}
Wednesday, March 31, 2021
 
Oshrib
answered 7 Months ago
62

Let you Controller

  • generate access token
  • store in session for later comparison

In your View

  • declare the access token as JS variable
  • send the token with each request

Back in your Controller

  • validate HTTP_X_REQUESTED_WITH
  • validate token

Check these security guidelines from OpenAjax.
Also, read the article on codinghorror.com Annie linked.

Wednesday, March 31, 2021
 
steros
answered 7 Months ago
50

you are dealing with a common problem with closures. by the time your ajax request is executed, the counter "i" is already and always at it's last value (4).

you have to create a new scope for that counter, so that it doesn't happen; you can do it in two ways:

the easy way:

for(var i=1;i<5;i++){
    var counter = i;
    $.ajax({
        type: "GET",
        url: "results/result_html.php?usn="+counter+"&resultType="+resultType,
        dataType:"JSON",
        success:function(result){
            finalResult+=result;
            result=result+htmlMessage;
            $("#info").hide();
            $("#result").html(result);              
            $("#usn").attr("placeholder", "Class USN");
        }
    });
}

or the correct way:

for(var i=1;i<5;i++){
(function(counter){
    $.ajax({
        type: "GET",
        url: "results/result_html.php?usn="+"counter"+"&resultType="+resultType,
        dataType:"JSON",
        success:function(result){
            finalResult+=result;
            result=result+htmlMessage;
            $("#info").hide();
            $("#result").html(result);              
            $("#usn").attr("placeholder", "Class USN");
        }
    });
})(i);}
Saturday, May 29, 2021
 
Saxophlutist
answered 5 Months ago
41

Read this Blog http://papermashup.com/jquery-php-mysql-username-availability-checker/

Saturday, May 29, 2021
 
Blacksonic
answered 5 Months ago
87

Most frameworks set the X-Requested-With header to XMLHttpRequest, for which Express has a test:

app.get('/path', function(req, res) {
  var isAjaxRequest = req.xhr;
  ...
});
Thursday, June 17, 2021
 
simPod
answered 5 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :