Like most sites, someone needs to join up to use mine. I'm using a wee-bit-o-AJAX to pull some results from a database and display them dynamically. For the AJAX to work, it has to hit a script that's accessible from the htdocs tree right? Effectively it's just a (JavaScript initiated) GET URL request correct? For example, index.html calls http://example.com/gimmedata.php?query=foo That in turn returns a JS formatted array which is eval() in JS and rendered on the page. (over simplified I know) My question is, how do you protect gimmedata.php since it's sitting out there sans normal web headers and stuff? Can it include session_start() and do all that wonderful checking to make sure the user is logged in before just happily doling out my precious data? What is the proper, secure, sanctioned and AJAX/PHP blessed way to do this?
I could set up a test environment and hack up something I'm sure -- and probably will if I get too impatient, but nobody seems to address this issue in any examples, they just do it as if information is *gasp* free. I'm a PHP guru, but I am also an AJAX novice. >From what I gather, the return is really in XML transport format and all the >magic of converting to/from XML is transparent to me. I worry that putting other headers or whatever may "corrupt" that? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
