jQuery autocomplete - Hide php request page contents_问答_开发者

jQuery autocomplete - Hide php request page contents

开发者 https://www.devze.com 2023-02-22 21:09 出处：网络

I have an input field that autocompletes using text taken from a PHP page. It works well but is it possible to hide the text on the PHP page if it\'s accessed directly? I realize that the way it works

I have an input field that autocompletes using text taken from a PHP page. It works well but is it possible to hide the text on the PHP page if it's accessed directly? I realize that the way it works it's as if the user actually visited that page but is there a t开发者_开发知识库rick that would allow that?

This should work, place it at the top of the page

  if($_SERVER['HTTP_X_REQUESTED_WITH'] !='XMLHttpRequest'){
     die();
  }

jQuery automatically sends headers with AJAX reqeusts

No, you can't: as you say it's the user who's requesting the content (well, the user's browser), so the content must be accessible by the user, every "cloaking" technique can be easily defeated by a slightly skilled user.

The first trick I can think of is to use http headers. On the code to load data for your autocomplete set a custom data that your php page reads to write his content otherwise you show nothing. When a user try to access the page directly (put the url on the browser) it show nothing because browser do not put your custom header

$.ajax({
    url: "data.php",
    type: "GET",
    dataType: "html",
    headers: {custom:'showdata'},
    success:function(){}
});

I use this trick to let my page knows what kind of content type to return because some times it should be json and other time it should be html

Obviously it's not perfect but many users won't see the data your trying to hide

Here's a simple way to make it a --little-- more well hidden. On the autocomplete data source page, check for a variable of any name you choose. For example:

if ($_GET['ninja'] != 'chop') { return 'Sorry, this page is not directly accessible'; } else { //data generated and returned here }

Yes, it can be defeated. But take into consideration, "what's the point?" Are you storing mission critical data? Is it really not to be seen? This is the reason that many small websites contain horribly unsecure and XSS vulnerable code and yet never get hacked...it's just not worth it for a hacker to spend the time developing a custom hack to get to the data that's there. Hacking Windows, on the other hand, provides millions (billions?) of targets to do all sorts of nefarious things. I'm certainly not saying that your site's not important, but it doesn't seem like a case where triple redundant security is necessarily required.