i've some links which i'm using like
我有一些我正在使用的链接
jQuery:
$("a.sync").on("click",function(e){
e.preventDefault();
var url = $(this).attr("href");
$.post(url,function(data){
$("#stage").html(data);
});
});
HTML:
<a class="sync" href="__home.php">Link</a>
this link just revieves data from another page and put it to #stage asyncly. but using inspect element user can see the link __home.php and can directly access it using custom URL.
I dont want users to directly access that file, but only with Ajax call...
how to do it?
此链接只是从另一个页面恢复数据并将其放入#stage异步。但是使用inspect element用户可以看到链接__home.php并可以使用自定义URL直接访问它。我不希望用户直接访问该文件,但只能使用Ajax调用...怎么做?
3 个解决方案
#1
1
You can't deny direct access completely ( someone can imitate ajax request), иге you can make it more difficult. First, try to check $_SERVER['HTTP_X_REQUESTED_WITH'] at __home.php . Second - read about CSRF tokens
你不能完全拒绝直接访问(有人可以模仿ajax请求),你可以使它变得更加困难。首先,尝试在__home.php上检查$ _SERVER ['HTTP_X_REQUESTED_WITH']。第二 - 阅读CSRF令牌
#2
0
This may prove very difficult because the file you're accessing via AJAX has to be public content to the user browsing the site - The AJAX-call is anyway triggered by the client from the perspective of the backend.
这可能非常困难,因为您通过AJAX访问的文件必须是浏览网站的用户的公共内容 - 无论如何,AJAX调用是从后端的角度由客户端触发的。
You could employ some sort of tokens as parameters, for example, but the problem is that the token must be known by the Javascript code, which is sending the request, and hence it is ultimately known by the user browsing the site also.
例如,您可以使用某种令牌作为参数,但问题是令牌必须由发送请求的Javascript代码知道,因此最终用户也可以浏览该站点。
Flash probably enables usage of file system files but I'm unfamiliar with this and it seems a bit overkill.
Flash可能会启用文件系统文件,但我对此并不熟悉,看起来有点矫枉过正。
#3
-1
Try this one
试试这个
$("a.sync").click(function(e){
e.preventDefault();
var url = $(this).attr("href");
$("#stage").load(data);
return false;
});
#1
1
You can't deny direct access completely ( someone can imitate ajax request), иге you can make it more difficult. First, try to check $_SERVER['HTTP_X_REQUESTED_WITH'] at __home.php . Second - read about CSRF tokens
你不能完全拒绝直接访问(有人可以模仿ajax请求),你可以使它变得更加困难。首先,尝试在__home.php上检查$ _SERVER ['HTTP_X_REQUESTED_WITH']。第二 - 阅读CSRF令牌
#2
0
This may prove very difficult because the file you're accessing via AJAX has to be public content to the user browsing the site - The AJAX-call is anyway triggered by the client from the perspective of the backend.
这可能非常困难,因为您通过AJAX访问的文件必须是浏览网站的用户的公共内容 - 无论如何,AJAX调用是从后端的角度由客户端触发的。
You could employ some sort of tokens as parameters, for example, but the problem is that the token must be known by the Javascript code, which is sending the request, and hence it is ultimately known by the user browsing the site also.
例如,您可以使用某种令牌作为参数,但问题是令牌必须由发送请求的Javascript代码知道,因此最终用户也可以浏览该站点。
Flash probably enables usage of file system files but I'm unfamiliar with this and it seems a bit overkill.
Flash可能会启用文件系统文件,但我对此并不熟悉,看起来有点矫枉过正。
#3
-1
Try this one
试试这个
$("a.sync").click(function(e){
e.preventDefault();
var url = $(this).attr("href");
$("#stage").load(data);
return false;
});