Identify ajax calls

[eluser]Arun Joshi[/eluser]
I have a controller 'signup' and a function 'isUserExists' in it.
I will call this function through this url and its working fine.

Code:

http://localhost/tbf/signup/isUserExists

I want to call this function through ajax only. So direct calling should not be allowed.
How can I restrict this direct calling. I tried

Code:

if (isset($_SERVER['HTTP_X_REQUESTED_WITH']))
{
    echo 'ajax call';
}
else
{
    echo 'url call';
}

but its not working.

[eluser]mddd[/eluser]
I don't think it is very useful to make that distinction. You can never be sure if it is a 'direct call' or not because an 'Ajax call' is just another call from a client. A user could easily fake a so called 'Ajax call'. So the real solution is that you'll have to check if the call is valid. For instance using session variables.

[eluser]Arun Joshi[/eluser]
I meant for logged in user, if they check the js script , they can took the url and can try on the address bar. I want to prevent this situation.

[eluser]mddd[/eluser]
I understand. I'm just saying: if you prevent someone from loading the script through the address bar, they can always load it through an Ajax call that they make themselves. So there is not really any way you can block a user from accessing that information. Simply because an Ajax call is exactly that: a call from the user's computer. You should look for a different situation; for instance slowing down the script if it is called multiple times from the same location. If you have the script respond slower and slower if it is called quickly in succession, it won't be so interesting for someone to misuse it.

[eluser]Arun Joshi[/eluser]
Thanks mddd, I understood.
Thanks for your fast replies...

[eluser]Georgi Budinov[/eluser]
If you still need that check , the environment variable is set only if you use some javascript library - jquery, prototype, yui.
If you use you your own javascript utility for xhttprequests, you should be able to set the headers.

UPDATE: As I think a little more on your idea ... you can set addition xhttprequest parameter that you are the only one you know and check for it in the php controller. This makes it even a little harder for the user to make such manipulations by hand

[eluser]mindSmile[/eluser]
You could also try setting an extra variable when making the ajax call, something like "ajax: 1" and then if that variable is set you know it came from the AJAX and not the url. That's how I usually distinguish to serve different responses for ajax vs. non-ajax.

[eluser]danmontgomery[/eluser]
I use:

Code:

define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest');