Thursday 6 March 2014

PHP - Secure Ajax Call from Hackers - Example

PHP - Secure Ajax Call from Hackers - Example

Today, In all web application we use Ajax call to get the server data without refresh the full page. In this cases, we get required data from server without refresh the page.

For Example
In Registration Page, We want to validate the unique email address of user


Following the Simple Steps to do more Secure your Ajax Call.

1. Ajax Check - Ajax url must give Response when request is from ajax.
 
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) &&  strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') 
{
echo "Ajax Call";
} else{
echo "No Ajax Call";
}

2. Domain Check - Ajax url must give response, when request from your own server.
if(!empty($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']=="WWW.mydomain.com/url")
{
 //Request from my server
}

3. Always use post Method 

4. Token System
 a) Create a token and encrypt  the data.
 b) Send with Ajax
 c) Before giving the result check the request with de-crypt