问题描述

如何防止我的用户直接访问仅用于 ajax 调用的页面?

How do I prevent my users from accessing directly pages meant for ajax calls only?

在 ajax 调用期间传递密钥似乎是一种解决方案，而没有密钥的访问将不会被处理.但是制作钥匙也很容易，不是吗?查看源代码的诅咒...

Passing a key during ajax call seems like a solution, whereas access without the key will not be processed. But it is also easy to fabricate the key, no? Curse of View Source...

p/s:使用 Apache 作为网络服务器.

p/s: Using Apache as webserver.

为了回答为什么，我的 index.php 中有 jQuery ui-tabs，这些选项卡内是带有脚本的表单，如果直接访问它们将不起作用.为什么用户会想要这样做，我不知道，我只是想通过阻止直接访问没有验证脚本的表单来对用户更加友好.

To answer why, I have jQuery ui-tabs in my index.php, and inside those tabs are forms with scripts, which won't work if they're accessed directly. Why a user would want to do that, I don't know, I just figure I'd be more user friendly by preventing direct access to forms without validation scripts.

推荐答案

正如其他人所说，Ajax 请求可以通过创建正确的标头来模拟.如果您想进行基本检查以查看请求是否为 Ajax 请求，您可以使用:

As others have said, Ajax request can be emulated be creating the proper headers.If you want to have a basic check to see if the request is an Ajax request you can use:

 if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
     //Request identified as ajax request
 }

但是，您永远不应将安全性建立在此检查上.如果您需要，它将消除对页面的直接访问.

However you should never base your security on this check. It will eliminate direct accesses to the page if that is what you need.

这篇关于防止直接访问 PHP 页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！