I've gone around and looked for this solution for forever, here is my problem:
I have a file call function.PHP, which will receive POST data and execute PHP according to data, example:
if ($_POST["data"] == "delete") //Do something to delete something
if ($_POST["data"] == "reset") //Do something here
So basically I can Ajax from the same domain to make the file to run according to my data. Ajax absolutely can not cross domain here. My problem is in PHP, I found out a function call cURL() which can post data to my PHP site, and I have looked for a lot of methods on Google, but I can not find any solution to prevent people from cURL my site. I found out that they can use Session something, but even if I use Session, there always is a way to pass it (I've seen it while I made the search).
So my question is: Is there anyway to prevent people to post data to my site? I'm pretty sure they can not using Ajax, but I really am worried about cURL in PHP.
I appreciate for any suggestion.
Thank you guys in advanced.
[x]
Before you perform an action - check if current user has permissions to do that.
So there is no any special protection, just write your normal code (yes, in normal code you have to check permissions).
Actually (thanks to @alex) browser does the absolutely same work like curl does, so it is not even possible to detect whether you get request from browser or from cheater.
It is not possible to protect your website against arbitrary POST Requests. Anyone can send a POST Request with arbitrary data to your website. cURL is just one of many possible ways to do this.
What you are looking for is authentication and authorization. You must make sure that the user sending the POST Request is known and has proved that he is who he says he is (authentication) and that he has the necessary privileges to perform the desired action (authorization). Only if the user has the necessary privileges you should allow the action.
The security in handling AJAX based requests is no different to authentication/authorisation/validation handling any request from a client to the server. Your basic checks are valid session details, user details and privileges, and request origin (same computer/IP).
AJAX can not prevent anything. Your assumption is that data sent to the server is generated by AJAX, which in turn is generated by JavaScript, which in turn is generated by a browser. Given enough time anyone proficient in JavaScript can interpret what you want the server to receive in the request and construct that request using even the simplest of tools, like telnet or netcat. Any action that modifies or removes data on your server should not be handed off to unknown people and or with undefined parameters.
