Question by domino
I just finished coding my first jquery ajax call page. It calls a php page every 1 or 2 seconds and returns json data.
The page basically displays posts of the message board the user is viewing. There are multiple message boards and some users should not be able to view certain boards, however the same php page is used for the call. It pics out the message using $id that is sent by the ajax script.
My question is how would I protect the php page from being manipulated and opened directly? The user can easily change the board id by opening the file directly and changing the URL. Not to mention the other ways.
If there is no easy way, then I guess I’d have to duplicate the majority of the main page to check if the user has necessary permissions. That would mean more server load since the page is updated every second.
Answer by TheVillageIdiot
Ajax calls are treated by server in the same way as normal page requests. All the authentication and authorization mechanisms are called before serving the page. To make sure just log off and try to get stuff from your page using AJAX. It should not work if your page requires you to log into the site.
Answer by Starx
If an AJAX call can open the page, so can the user, you cannot rely on definitive technique to protect a page. Rest you can follow what @TheVillageIdiot has said in his answer.