My website Contains Prototype Framework and programmed in PHP. (i know very very basic javascript)
Website Normal Visitor & Its Actions
Some what similar to keepvid .com
A)It have one Input box where user put link and than press submit. (?var=userfoo execute via prototype frame work) (the request is send to same page action=index.php)
B)It shows Loading gif than it display the result in by default it is hidden and show on request.
C)Now The parent window html (Main Page) isn't refreshed or reloaded.
D)User Again Put link and press submit it does the same a b c process.
Every thing was working fien but i come to notice problem while checking logs. Some was using scripts to grab my output. Not normal visitor you can say or leechers.
Problem :
1)But if some one put http:// url?var=foo&var=bar in the browser it will generate the output content of div that means no main page visit. anyone can pass query and directly get the result.
2) I tried using Session Token But it fails as it regenerate in div. also the parent is not refreshed so the session token doesn't match (THIS ONLY HAPPENS WITH AJAX REQUEST 1 request is giving output okay but the second request fails as the parent token is same. And submit button uses the same token) On pure PHP it works it refresh the page but i don't want to refresh the page. I just want to show loading gif.
3)Any one can use curl php and grab the page. So i wanted a Javascript verification (HIDDEN). If fails than Start Captcha in short if Javascript is disabled than start captcha security. I don't want to make it work on verbose or through command line or through another script (for fetching).
4) I don't know exactly what the things are called. I think they are XHR.
I want to Provide Security for my website from
1)URL Variable Injection like ?var=foo&&var2=bar but also allow to convert (if some body does that ) to divert the page to ?redirect=foo and load mainpage and put that redirect value to input box
2) Server Based Verification but inside the div and must show loading gif and donot reload the entire page..
Things i looked but failed...
1) JCryption but it needs Jquery than i have to recode everything...
2)
// If the request did not come from AJAX, exit:
if($_SERVER['HTTP_X_REQUESTED_WITH'] !='XMLHttpRequest'){
exit;
}
This command fails with IE7 browser. (this is the ONLY BEST METHOD BUT FAILS IN JUST ONE BROWSER) Also one more problem is If some one create run it on the local host change the action to http://myurl than it will still accept it. Also if we make a curl to send custom header than it will defeat the purpose.
3) Used JavaScript Encryption and PHP Decryption. SOME JS to enrypt and php function to decrypt. (through using Hidden form element input) This was also a good method but i am having difficulty in editing the source to pass variable i mean from div to server.
Also used few other method but i think that all that above methods are the best to describe me problem... Kindly understand that the solution might be very small or big but i don't understand JavaScript much so kindly elaborate.