Let’s say I have a website.
With ajax.js in it. This file calls somefolder/answer.php.
Requests information in $_GET[] which gets interpreted etc.
and it works. But whoever opens ajax.js in editor will find out about
somefolder/answer.php and they could make their own calls without
even using the website. Or they could go to the file directly and execute
queries.
In normal non-AJAX website, you render the page as a whole, it’s full of scripts, images, links and all other. They’re not directly dumps from database but result thereof. But with AJAX, script-kiddie could obtain pure information with relatively no effort.
It is way way harder to extract data from rendered (by PHP) non-AJAX website.
Than it is to just send query and get answer from script who will give it to you nicely with JSON or array.
Is there way to prevent such abuse?