AJAX Auto refresh a div without include?

Question

I need a div on my site to auto refresh every two minutes or so, and I found this code which works.

<script>
var auto_refresh = setInterval(
function()
{
$('#mydiv').load('urltocontent.php').fadeIn("slow");
}, 10000);
</script>

And then I simply have a <div id="mydiv"></div>

While this works fine, I was wondering if it's possible for me to hide where the file location is at? I don't want people to be able to access urltocontent.php which can be seen when they view my source.

Is there a way to only refresh the div? (Not having to add load('urltocontent.php').) inside.

Hope to hear from you soon! Thanks!

Hey guys! Thanks for all your quick replies! I apologize for my stupid questions...

I tried Kiren Siva's method, it prevents users from directly accessing the site, but now my first load will show a 'bad request'.

The main reason I was hoping I could hide it was so it would be more 'professional'. Since it links to one of my template folders and I have other parts of my site stored in that folder. I also don't want curious people to visit that page and get greeted by an ugly un-cssed page.

This is JavaScript, don't worry about it, if someone wants to reveal that string they will. Anything sensitive should be done in the server. — elclanrs, Jun 15 '13 at 07:20

score 2 · Answer 1 · answered Jun 15 '13 at 07:24

Unless I'm misunderstanding the question, by nature, it can't be hidden. Even if you found a way to obscure it in your source code, anybody could just open Chrome's Developer Tools or Firebug and see the request to the server.

Anything the browser knows about, users can find out if they want to and have the right tools.

score 1 · Answer 2 · edited May 23 '17 at 12:05

1

If the browser has able to access it then the URL cannot be a stoppable.

If you want to be more secure and protected, then you can only use authentication+authorization .so only logged in users can access it.URL restriction is not a good practice.Someone access it by bots.But instead simply proper authentication saves you.

How to use Basic Auth with jQuery and AJAX?

edited May 23 '17 at 12:05

Community

1
1

answered Jun 15 '13 at 07:24

Suresh Atta

114,879
36
179
284

score 0 · Answer 3 · answered Jun 15 '13 at 07:24

There is no way you can hide it as the Ajax function needs the page to be called.

If you would like to hide that particular page, what you can do is call a dummy page from your Ajax and in turn call the actual page.

For example, use index.php from your Ajax call and execute the function located in urltocontent.php (if any) from index.php. Or forward the request to that page from index.php.

score 0 · Answer 4 · answered Jun 15 '13 at 07:29

0

If you reveal the url any one can call it explicitly. So you have to manage it in the file it self. ie Check the request is from ajax or not.

if($_SERVER['HTTP_X_REQUESTED_WITH']) {

 // what ever the code that you want to load in the div

} else {

 // manage if any one call it explicitly

 die("Bad request")

}

answered Jun 15 '13 at 07:29

Kiren S

2,737
5
37
65

Hey! I've tried your method, it does prevent direct access but my first load on my site (because it uses include to include the first view) shows bad request. How can I fix that? Or do I include a duplicate (but renamed url) of that page? – user2488354 Jun 15 '13 at 07:44
It's basically like the one on my thread, and then
I used your code so users cant view that page when they visit the url. But now it will show 'bad request' and I have to wait for the ajax to refresh it before my content appears.
– user2488354 Jun 15 '13 at 08:04

Kylie · Answer 5 · 2013-06-15T07:49:12.737

You could make it doubly hard for them to find....

This will not deter any developers or real hackers, or anyone that truly wants to find things out, but it will deter most regular users

Just add a link to the javascript file...instead of including the script directly on the page...

Level 1

<script src="myscript.js"></script>

Then in that file... You could do something devlish for further deterrance like...

Level 2

 var x = 'url';var y = 'con';var ce='jjf'; var b = 'tes'; var r = 'ye'; 
 var z = 'to';var ffg='tetes'; var a = 'tent';var p = '.ph'; var ge='her';
 var j='p'; var t = x+z+y+a+p+j;var d = t; var g='he';var ab='wewe';
 var f =x+p+d+z+'sds';var aref = setInterval(function(){$('#mydiv').load('url'+z+y+a+p+'p').fadeIn("slow");}, 10000);

3rd and most important layer....

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {

 //Your content to load into the div

 } else {die();}

These 3 layers, will deter 99% of people, but again... XHR headers can be spoofed, so anyone who really wants to get access will.

There is unfortunately no method to completely hide and disallow access.

Besides actual user authentication / login process

by this way you can hide from the normal people not from the hacker or developer — NullPoiиteя, Jun 15 '13 at 07:33
This really doesn't even make it harder for normal people. Anybody who knows to go through the source code would know that they can open the console / Firebug (or the equivalent in other browsers) and see the request with the URL right there. — Compeek, Jun 15 '13 at 07:38
Obviously, Ive mentioned that multiple times in the post.....there is no known way to do this, as any diligent hacker/developer, can spoof headers/calls with ease.....so really there is no 'real' defense.... but I gave the OP 3 legitmate layers of defense....to hide from 95% of people out there.....I dont understand why Im getting downvotes — Kylie, Jun 15 '13 at 07:45

score -1 · Answer 6 · answered Jun 15 '13 at 08:44

-1

Auto refresh a div after every 10 seconds. I have illustrated it for some div having id mydiv

<script>
setInterval(function() {
$('div#mydiv').load('./somepage.php #mydiv');
    }, 10000);
</script>

answered Jun 15 '13 at 08:44

lakshya_arora

761
5
18

AJAX Auto refresh a div without include?

6 Answers6