How to prevent direct access to the file called via Ajax?

[eevan79]

I use jQuery when adding messages. However, the file can be called directly. For example: includes/add_comment.php?id=2

 

So, I can make a form and call this file directly to add a message. ID is user id and form can be submited with HTML form wherever are located.

 

How to prevent direct access to the file when called through a Ajax?

[btherl]

It's impossible to stop someone making a request directly to a file called through Ajax.  But what you can do is use some sort of authentication, the type depending on what you want to achieve.

 

If you want to stop spam, you would use a Captcha.  If you want to authenticate the user, you would store the user id in session data and use that in add_comment.php, instead of expecting it to be passed via Ajax.

[eevan79]

I already use authentication, but I don't want to registered user access the file directly.

 

 

Maybe I can use $_SERVER['HTTP_REFERER'] to check if file is called from website, instead directly. If user calls the file directly, $_SERVER['HTTP_REFERER'] will be empty.

 

 

But I think that this is not enough ...

[btherl]

It all depends on what you are trying to prevent.  If you want to stop dedicated spammers, you need Captcha.  If you want to stop casual users playing around, checking the referrer is probably enough.  A posting timeout might also be appropriate, such as making people wait at least 60 seconds between posts, if spamming is what you are trying to prevent.