AJAX only access

Question

I have recently started to code heavily AJAX supported scripts in PHP, thing is, the files being accessed by the AJAX calls can be directly used too, how to disable that?

Answer 1

You cannot reliably prevent this from happening. The key really is not to consider someone accessing this file directly as a security issue - plan for this being possible and you will be in a much more secure place.

Some people might recommend code that looks like this (or similar):

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) 
     && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
    // more code here
}

However, the fact of the matter is that HTTP headers can be spoofed quite easily and are not a means of securing code. In my testing on a busy site a while back i noticed that these headers are not actually that reliable anyway.