</div>
</div>
</div>
<hr class="my12 outline-none baw0 bb bc-powder-2">
<div class="grid fw-nowrap fc-black-600">
<div class="grid--cell mr8">
<svg aria-hidden="true" class="svg-icon iconLightbulb" width="18" height="18" viewbox="0 0 18 18"><path d="M9.5.5a.5.5 0 0 0-1 0v.25a.5.5 0 0 0 1 0V.5zm5.6 2.1a.5.5 0 0 0-.7-.7l-.25.25a.5.5 0 0 0 .7.7l.25-.25zM1 7.5c0-.28.22-.5.5-.5H2a.5.5 0 0 1 0 1h-.5a.5.5 0 0 1-.5-.5zm14.5 0c0-.28.22-.5.5-.5h.5a.5.5 0 0 1 0 1H16a.5.5 0 0 1-.5-.5zM2.9 1.9c.2-.2.5-.2.7 0l.25.25a.5.5 0 1 1-.7.7L2.9 2.6a.5.5 0 0 1 0-.7z" fill-opacity=".4"></path><path opacity=".4" d="M7 16h4v1a1 1 0 0 1-1 1H8a1 1 0 0 1-1-1v-1z" fill="#3F3F3F"></path><path d="M15 8a6 6 0 0 1-3.5 5.46V14a1 1 0 0 1-1 1h-3a1 1 0 0 1-1-1v-.54A6 6 0 1 1 15 8zm-4.15-3.85a.5.5 0 0 0-.7.7l2 2a.5.5 0 0 0 .7-.7l-2-2z" fill="#FFC166"></path></svg>
</div>
<div class="grid--cell lh-md">
<p class="mb0">
<b>Want to improve this question?</b> Update the question so it focuses on one problem only by <a href="/posts/18633724/edit">editing this post</a>.
</p>
<p class="mb0 mt6">Closed <span title="2014-06-02 14:50:15Z" class="relativetime">5 years ago</span>.</p>
</div>
</div>
</aside>
My ajax requests point to a URL which is linked to a controller then model that inputs the data in to a database.
My question is, what is to stop other people making an ajax call to that URL with data and entering it in my database.
How can I protect against this?
</div>
You cannot prevent people from faking AJAX calls. To put it another way, there is no way your script receiving the AJAX call can determine if the call is legit.
You have to implement some kind of high-level logic (hashes, passwords...) if you want to make sure the call is legit.
Seems like you have built an API which you are calling from the client. Are you using REST or SOAP? Since most mobile application today work the REST API way, you could try the API Key approach described here.
If you don't have a client that can have the logic, then I would like to go with Synchronizer Token
What exactly separates users of your page from "other people"? Are they inputting data in the wrong format? Are they inputting too often? You should protect against these things specifically rather than try to control where the URL is being accessed from. For instance, if there are only 5 specific inputs that the ajax function sends, just design your controller to accept only those (or a number from 1 to 5) and pass the appropriate data to the model, and ignore all other calls.