Simplified: In my JS/PHP app I have a button. When a user clicks on the button he gets 1 point which is saved via jQuery AJAX/PHP in a database.
Of course the user now can call the script that makes the AJAX request without clicking the button. Is there any best-practice to avoid that?
I am using AJAx because I don't want the page to reload.
Update: There are many other options how a user can earn points. Idealy I would have a JS function add_points(points) that adds the points for the user. But I know that anyone can write a script to call this function automaticly. I guess the only way is to generate a hash vor every possible point-earn action and submit this hash with the AJAX request.