Here's my code.
getuser.php:
...
while ($result = @mssql_fetch_assoc($data)) {
foreach ($result as $item => $value) {
if (is_null($value)) {
$result[$item] = 'Empty';
}
}
foreach ($result as $result => $data) {
echo '' . $result . '' . '' . $data . '';
}
}
echo "";
}
mssql_close($con);
?>
index.php:
function showUser(str) {
if (str=="") {
document.getElementById("result").innerHTML="";
return;
}
if (window.XMLHttpRequest) {
xmlhttp=new XMLHttpRequest();
} else {
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState==4 && xmlhttp.status==200) {
document.getElementById("result").innerHTML=xmlhttp.responseText;
}
};
xmlhttp.open("GET","getchar.php?q="+str,true); xmlhttp.send();
}
This is an instant search, to find a user, it gets their info as soon as it's typed. Basically I want to know, if there's a way I can hide the filename of the PHP page (getuser.php) in the AJAX script (xml part), so people can't just go to www.example.com/getuser.php?q=user and get the information. Would I have to add a && statement to see if the person logged in is an admin? so like
if(isset($_GET)) && isset($_SESSION['user']))
{
// do code
}
You can't.
The browser has to know the URL it is going to fetch, and it is trivial to find out what URLs browsers are requesting (by looking at the Net tab in a debugger if nothing else).
No. But you can just detect the AJAX request in your PHP file so users can't navigate to that page in their browser. Like so:
if (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && 'xmlhttprequest' == strtolower($_SERVER['HTTP_X_REQUESTED_WITH'])) {
// put code here
}