Papermashup

Subscribe


Tweets


"RT @bethgordon: .@Tesco Please rethink archaic 'Approved by Mums'. Pretty sure it's not just mothers who make childcare decisions. https://…"

@ashleyford 3 days ago

"Is there ever a time that @DFS doesn't have a sale on?"

@ashleyford 6 days ago

Designer and web developer, Co-founder and Technical Director at Harkable.com. Previously I worked at Spotify, MySpace and InMobi. Contact me - ashley[at]papermashup.com

Detecting an Ajax Request with PHP

AshleyAshley

Here’s a quick piece of code that i find useful to check if a request that comes to a PHP page was made via an Ajax call or a simple form post. This method uses the $_SERVER[‘HTTP_X_REQUESTED_WITH’] request to determine if data was sent to a specific page using an xmlhttprequest. It’s worth bearing in mind that there is no guarantee that every web server will provide this setting, servers may omit specific $_SERVER parameters, That said, a large number of these variables are accounted for, you can find more information about $_SERVER variables here.

The PHP


if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && !empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')
{
// If its an ajax request execute the code below		
echo 'This is an ajax request!';	
exit;
}
//if it's not an ajax request echo the below.
echo 'This is clearly not an ajax request!';

The code is pretty self explanatory we are literally checking to see if the request was sent via an xmlhttprequest. In the Demo below i’ve setup a page that contains a jQuery Ajax request to our code above and a simple form with a button that just submits to the same page.

demo

Designer and web developer, Co-founder and Technical Director at Harkable.com. Previously I worked at Spotify, MySpace and InMobi. Contact me - ashley[at]papermashup.com

Comments 10
  • Saul Fautley
    Posted on

    Saul Fautley Saul Fautley

    Reply Author

    FYI, checking both isset() and !empty() is redundant. Pick one.


  • zender
    Posted on

    zender zender

    Reply Author

    Thanks for this.
    @Various commenters, you’d not be wise to rely on the results of this for a security check, since you don’t want to trust the client to not lie about the type of request (just as you can’t trust a client to run your app’s JS as you intend). Anyone can send any kind of HTTP request to your app, at any time, with any type of headers they choose.

    A good example of how this is useful: I just used this in an application’s access control module. We need the app to throw 403’s to AJAX calls so our client-side code can detect and handle the permissions problem, yet for a non AJAX call, it’d be nice to forward logged out users to the log in page instead of giving them a nasty 403 error. Cake and eat it too :)


  • Sashi
    Posted on

    Sashi Sashi

    Reply Author

    Thanks for this great piece of code… works well


  • roberto
    Posted on

    roberto roberto

    Reply Author

    This is also useful when writing unobstrusive javascript, and you want the same form to work with and without javascript, with javascript it would be sent by ajax with out it would be posted normally.


  • scvinodkumar
    Posted on

    scvinodkumar scvinodkumar

    Reply Author

    Thanks. Great code.

    Actually, i was looking for this code only to provide more security to my Ajax pages, because i dont want others to run the ajax pages from the browser.


  • visualsuspect
    Posted on

    visualsuspect visualsuspect

    Reply Author

    Or the use as a backup, when a user has javascript disabled? So the form can still be send and processed.

    Thanks for the info, gonna test it on my webserver.


  • developar
    Posted on

    developar developar

    Reply Author

    I posted the comment in IE… disappear, so I am posting again :)

    Thanks for this nice piece of code, but if you mentioned where we we can use it in our projects, like what the use of it, what I am thinking right now is in security of web applications.


    • Ashley
      Posted on

      Ashley Ashley

      Reply Author

      @developar i’ll look into the IE issue, thanks for letting me know about that. Your right you could use it for security to make sure that the request is passed via ajax.


  • developar
    Posted on

    developar developar

    Reply Author

    Nice piece of code, but I can’t think right now where I can use it I mean can you mention any useful thing we can do ?

    I think for security puposes ?


    • Ashley
      Posted on

      Ashley Ashley

      Reply Author

      @developar an example of usage for this code would be if you had 2 forms that post to the same PHP page. but one form is submitted using AJAX and the other is a standard form submission.