I am sending data to a PHP site using the following code:
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp= new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp= new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.open("GET","addEmail.php?email="+escape(email),true);
xmlhttp.send();
xmlhttp.close;
Is there any way of making sure that the addEmail.php
is being run through the XMLHttpRequest
so people cant simply go to www.domain.com/[email protected]
to make the php site eat their email and run a thousand requests on the page? Thanks in advance
The users is always able to access the php script directly, but you can protect is a bit more by adding this check to the php script:
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest')
{
//CODE HERE
}
Additionally, like Eugen Rieck mentioned, you could send a token.
That is fundamentally impossible.
You need to limit the number of requests per IP address on the server.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With