how to secure my CI app refusing GET method in controller

[eluser]mandril[/eluser]
Well i dont want the user to access my method's in the controller class, by GET ... typing in the URL:

site/controller/method

because this method is only for ajax.. so what i want to do is something like this

function method()
{

//IF IT WAS CALLED BY POST(ajax) {
//call model and bla bla..
//}ELSE {
//die('operation not allowed');
//}

}

does CI have something to deal with this ? ty !

[eluser]drewbee[/eluser]
So I don't see what the issue is here? You typed it out exactly how you wanted.

Simply check to see if POST is set, or the POST values that you are looking for and that they have a value.

[eluser]mandril[/eluser]
You mean.. something like this?

if(isset($_GET))die('Operation not allowed');


//is not working..

[eluser]drewbee[/eluser]
GET shouldn't be set, as it is not allowed by code igniter (unless you disabled them). POST the data to the controller

[eluser]mandril[/eluser]
I haven't modified codeigniter to allow GET, but... if you run the method from the browser URL manually you are using GET!! and codeigniter does let you do that!

if you type this url: localhost/site/controller/method ... codeigniter does run the method.. and that is called GET for me, so I understand codeigniter does not allow sending values by GET index.php?val=something . But it does let you call the functions typing in the URL from browser.

Maybe you mean i cannot use $_GET in my script ? ok.. but doing the other way is not working either.

if(!isset($_POST))die('Operation not allowed');

maybe I missunderstood you

[eluser]drewbee[/eluser]
Ah Ok. POST is a superglobal in PHP that is set regardless of data, so obviously checking isset() will return true.


Personally, I would do a check for the data that you are sending via ajax.

IE lets say you submit via ajax a persons name (name) and email address (email_address)

In your controller/method/ use the $this->input->post('field_name') also note that the post() function returns an empty string if it is not a valid post data, so you would want to check with empty().

Code:

if (empty($this->input->post('name')) || empty($this->input->post('email_address')))
{
    die('operation not allowed');
}

[eluser]mandril[/eluser]
I see.. thats nice thnk you for the help and time =D i thought there was a easier way provided by codeigniter because is something common to use ajax or to have methods in the controller that you want to secure from users hijack.

I expect something like $this->secure->method('name'); ^^ or something like that! so that it allows only sending data from POST and deny URL access.

But anyway, thnx for everything =)

[eluser]davidbehler[/eluser]
You could use the function that was proposed in this thread by Johan André: http://ellislab.com/forums/viewthread/103623/

That way you could even request something using ajax und get parameters instead of post

[eluser]drewbee[/eluser]
Wow Cool! I had no idea the server reported that!

Code:

// $ajax should hold a TRUE or FALSE depending on if it is an ajax request.
$ajax = !empty($this->input->server('HTTP_X_REQUESTED_WITH')) && $this->input->server('HTTP_X_REQUESTED_WITH') == 'XMLHttpRequest' ? TRUE : FALSE;

[eluser]mandril[/eluser]
nice