PHPEnthusiast Posted April 19, 2015 Share Posted April 19, 2015 (edited) Hello! So I have a new random question to ask. I have a script that relies on Jquery requests. I've read on a lot of websites that relying on Jquery requests isn't a good thing because it can be spoofed however while I was testing it on my localhost using Curl, it just showed me the default login page and that's it. So the logic behind my "Only Jquery requests can read these files" is because I'm trying to prevent people from seeing the contents directly. I know that .htaccess can do this already, but I'm trying to prevent someone from accessing the actual file directly in case someone is snooping around for file names. This is so they can't execute any PHP codes. It also will trick them into thinking that the page they're on does not exist. Here is my code for jquery_test.php // Check to see if the request was made via Jquery or not if(filter_input(INPUT_SERVER, 'HTTP_X_REQUESTED_WITH') === 'XMLHttpRequest') { // Request is from Jquery or Ajax. Put the actual codes in here. } else { // Request was made directly to the file. Don't put any executable codes in here. If the user is not logged in, throw them the default login page; this can also be made an error 404 page with a login form to trick the user. If they are logged in, throw them a error 404 page. } Here is my Curl code. It's supposed to be simple. $ch = curl_init("http://localhost/jquery_test.php"); $fp = fopen("curl_export.txt", "w"); curl_setopt($ch, CURLOPT_FILE, $fp); curl_setopt($ch, CURLOPT_HEADER, 0); curl_exec($ch); curl_close($ch); fclose($fp); Here is what it exported. <html> <head> <title>Login</title> </head> <body> <h1>Login Page</h1> <p>Hello, please login to view this page.</p> <form action="action/login" method="POST"> <input type="text" name="username"> <input type="password" name="password"> <input type="submit" name="submit"> </form> </body> </html> Now, how are people spoofing Jquery requests when I tried to spoof my own, it just shows up the login page. This is exactly what my code was suppose to do. Check to see if request is made via Jquery or direct. If request was made via Jquery, load the codes and execute them to select appropriate tables. If request was made via direct access, check to see if the user is logged in first. If user is not logged in, throw them a login page. If the user is logged in, throw them a 404 page. Edited April 19, 2015 by PHPEnthusiast Quote Link to comment Share on other sites More sharing options...
requinix Posted April 19, 2015 Share Posted April 19, 2015 As your jquery_test.php code shows, there needs to be an X-Requested-With HTTP header with the value "XMLHttpRequest". Add a curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-Requested-With: XMLHttpRequest")); Quote Link to comment Share on other sites More sharing options...
PHPEnthusiast Posted April 19, 2015 Author Share Posted April 19, 2015 As your jquery_test.php code shows, there needs to be an X-Requested-With HTTP header with the value "XMLHttpRequest". Add a curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-Requested-With: XMLHttpRequest")); Thank you for enlightening me. However, is it possible to reject Curl from accessing or does it act like a regular user? Quote Link to comment Share on other sites More sharing options...
Solution requinix Posted April 19, 2015 Solution Share Posted April 19, 2015 Like a regular user. It is impossible to tell if a request comes from a real person. Quote Link to comment Share on other sites More sharing options...
PHPEnthusiast Posted April 19, 2015 Author Share Posted April 19, 2015 Like a regular user. It is impossible to tell if a request comes from a real person. Thanks for letting me know. I guess I can't rely too much on it then. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.