PHP check to make sure the request is either xmlhttp from my site or a regular request from a specific domain

Question

PHP check to make sure the request is either xmlhttp from my site or a regular request from a specific domain

How would a condition be written to allow the page to access the xmlhttp request from my site or from a permitted external domain?

<?php
    $referrer = $_SERVER['HTTP_REFERER'];
    if($_SERVER["HTTP_X_REQUESTED_WITH"] !== 'XMLHttpRequest') {
        if(preg_match("/accepteddomain.com/",$referrer) {
    header("Location: http://www.domain.com/desiredpage.php");
        } else {
    header("Location: http://www.domain.com/nondesiredpage.php");
        }
    }
?>

0

php logic

Dirty bird design Mar 09 '11 at 20:59

source share

4 answers

Pascal MARTIN · Answer 1 · 2011-03-09T21:05:07+0000

Given that Referer and X-Request-With clicks are sent (or not sent) by the client (browser or anything else that can send an HTTP request), they cannot be trusted.

You can use them as tips to improve your user experience; but you must not rely on them to be either present or correct.

, , ( XmlHttpRequest: XHR ... , , , XHR).

( , /), - API-, ?

Ewan Heming · Answer 2 · 2011-03-10T00:43:36+0000

, , , , HTTP, ! HTTP_REFERER.

\., , .

frostymarvelous · Answer 3 · 2011-03-09T21:03:45+0000

Ajax . XMLHttp - .

, XMLHTTPRequest http://developer.yahoo.com/javascript/howto-proxy.html

- , XMLHttpRequest. script -, , - (Internet Explorer , ). -, XML, , , .

Jeremy conley · Answer 4 · 2011-03-10T07:11:07+0000

You need to know that HTTP headers are easily faked, so someone can telnet easily and send this HTTP header and access the page. Do not rely on HTTP REFERER for sensitive data. The only reasonably safe prevention is to use logins.

PHP check to make sure the request is either xmlhttp from my site or a regular request from a specific domain

More articles: