Ajax pages

My web app has a series of pages that just accept AJAX incoming calls and process them…there is not any
content in them for the web user to see.

There is a chance though that the user might choose to access them directly(by typing the URL in the address bar)…especially if it someone who know how to use dev tools and see where ajax requests are sent.

So the question is what to do in such cases?
Suppose that he/she tries to access these pages…what must I present to him?

Could they be put in a folder that is inaccessible to site visitors?
I keep my php includes in a folder denied by htaccess. My php cron job scripts are in a folder outside of the public root.
Would your scripts still work if they were in a non-public folder?

You are asking questions that I cannot answer cause my site is still local…nothing is uploaded to a live server yet.

Nonetheless…is it possible to test things locally and use htaccess to deny access to these files?

I suppose it would depend on how your local machine set up. I couldn’t say, as I don’t have my local machines set up as servers or with php. I do all my testing on the remote host and can only test plain html locally.
Though someone here may know better.
weather the scripts will work from a non-public location will depend on the nature of the scripts. I’m assuming that if they are without any user directed html, they don’t require any user interaction or access, so should be fine hidden away.

AFAIK it is possible to modify HTTP headers, but if it isn’t a “sensitive information” thing it might be enough to use something like

ini_set('display_errors', 'true');

  echo "you can't GET here"; 

what is the reason for using error_reporting?

Oops, sorry to cause confusion.
I have that in my “PHP template” file that I use when developing code and left it in the example because I’m not in the habit of removing it until I’m done working up script and move it to live and forgot to not include it in the quick copy / paste to here.

Best to not have it in any live files, much better to have a custom error handler log or email you errors instead. You want to not show error messages to site visitors.


So the question is what to do in such cases?
Suppose that he/she tries to access these pages…what must I present to him?

Try defining a LOCALHOST constant that only allows certain scripts to run locally:


defined('LOCALHOST') ?: define('LOCALHOST', 'localhost' === $_SERVER['SERVER_NAME']);
   error_reporting(0); ini_set("display_errors", "0");
     error_reporting(-1); ini_set("display_errors", 1);


yes…but the problem concerns when the site is in a live server…
Locally it is not an issue since I am the only one to access it…the developer.


Try running the script both online and localhost. See if you can spot the difference :slight_smile:

Currently I have not yet uploaded the app in a production server.

Try copying the script to test-123.php and running on your live site and local host.

I forgot to mention that the reason I like this technique is that only one set of files is required. No chance of uploading a development script and overwrite an online script of the same name.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.