Stop PHP script being run directly in browser

I have a PHP script (myscript.php) that is run from a JS script and would like to prevent it from being run by just typing myscript.php in the browser.

I thought checking php_sapi_name() might be an answer (and it still might be), but I can’t seem to check the values it’s returning in each case.

.addEventListener("click", function () {

No. With php_sapi_name() you can check the difference between web- and cli- request (potetially).

I think, you should to use specific header in your AJAX-request and check whether it exists in your server script.

1 Like

Thanks, @igor_g. That makes sense. I wonder why I didn’t think of that :shifty:

An ajax request sets an http_x… header -

// determine if the request was an ajax request
define('IS_AJAX_REQUEST', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');

You can then test if(IS_AJAX_REQUEST) is true or not in your logic.

1 Like

You could also define a PHP CONST in the calling file and test to see if th CONST is defined:

// file: index.php 
require 'myscript.php'; // should work OK
// file: myscript.php
 if (defined('GLOBAL_CONSTANT') ) : 
   // No problem

const cant be used on an AJAX fetch though.

Pretty much going to be impossible to check, short of encoding a key to hand to the browser to pass back to the server (think JWT). Wont stop someone from going to the page, getting the key, and postmastering their way in, but… at that point, whats the difference between a user’s browser going to the url and javascript in the users browser going to the url, really.

I should say i’m not a fan of checking headers for anything as reliable.

1 Like

As I understood, that is not a question of authentication. OP just want to avoid AJAX handler direct call.

If it’s really authentication problem, there is no difference between AJAX- and common request. And in this case e.g. session cookie required.

1 Like

No, it’s not a question of authentication. There’s no money or security running on this. myscript just increases a counter. Sounds like a custom header would do what I need even if it’s not infallible.

Thanks, chaps.

Why do you need AJAX for that increment? Can’t it be done on pageload?

It’s counting the number of times an external link is clicked.

I was bored and decided to test using a defined PHP CONSTANT:


Care to share your JavaScript counter and I will update the scripts?

Have you considered an outbound link tracker? i.e. instead of linking directly to the external resource, you link to where you register the click and then redirect (using HTTP 302) to

Drawback is that it’s a little bit slower, advantages are you problem disappears and it works without JS.

1 Like

Funnily enough, I hadn’t even though it’s a technique I’ve used before (without the counting). It’s worth a bash!

The counter’s done in PHP, squire.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.