2

I'm writing my own MVC framework to practice and I have a Request class. I would like to catch the type of request and parse data accordingly whether its an AJAX/JSON call or a HTML/XML request.

Im currently using:

$_SERVER['HTTP_ACCEPT']

and above when used var_dump on it returns application/json for this:

$.ajax({
    type: 'post',
    url: 'index',
    dataType: 'json',
    data: {
       _method: 'put'
    }
});

var_dump($_SERVER['HTTP_ACCEPT']) returns:

string(46) "application/json, text/javascript, */*; q=0.01"

Question: is this method reliable? Does it work always? Are there any security problems with detecting ajax call like this?

Note that all my ajax calls in my framework must have dataType: 'json' unless its a different type of call like HTML or XML.

Colin M
  • 11,952
  • 3
  • 33
  • 55
GGio
  • 7,239
  • 10
  • 39
  • 71

2 Answers2

9

Using jQuery, you can use $_SERVER['HTTP_X_REQUESTED_WITH'] which will be set to "XMLHttpRequest." This is the most reliable method when using jQuery.

Colin M
  • 11,952
  • 3
  • 33
  • 55
  • XMLHttpRequest means its an ajax call? How would I detect the type if its XML or JSON ? – GGio Jul 23 '13 at 17:04
  • @GGio Depending on your needs, you can either try to parse the `Accept` header, but personally I would use a querystring parameter or file extension to indicate the desired output format. At least for a basic use case. – Colin M Jul 23 '13 at 17:05
  • There seems to be two questions: how to detect if a request is coming from ajax and how to find out the data type. This answer answers the first question. As for the second question, well, reliable is overrated! See [this question](http://stackoverflow.com/questions/477816/what-is-the-correct-json-content-type?rq=1) on the true MIME type of JSON and [this one](http://stackoverflow.com/questions/1049401/how-to-select-content-type-from-http-accept-header-in-php) on handling type detecion with Apache than PHP. – nt.bas Jul 23 '13 at 17:16
  • @nt.bas Let's put it this way. A query string parameter will have him back up and working in about 30 seconds. Type detection/parsing won't :). It's easy enough to change in the future if it's abstracted properly. – Colin M Jul 23 '13 at 17:17
  • @ColinMorelli Yes, that's why i said type detection reliability is overrated. :-) Hope the OP takes the time to actually do his best to validate the parameter properly. – nt.bas Jul 23 '13 at 17:29
3

Colin Morelli answered your main question, but this should help you with your follow ups.

XMLHttpRequest means its an ajax call? How would I detect the type if its XML or JSON

Yes. XMLHttpRequest is JavaScript object that makes the request. It's poorly named now, though, because you can have it send whatever you want. To answer your second question you'll have to do some sort of parsing attempt on the payload you receive. You can scan for XML and if not found just assume it's JSON and attempt to parse.

Mike Thomsen
  • 33,992
  • 10
  • 50
  • 76
  • why cant I use `$_SERVER['HTTP_ACCEPT']` seems to detect XML as well it gives `application/xml` – GGio Jul 23 '13 at 17:09
  • It's generally not a good idea to just assume that something like that is set correctly. You should always manually test incoming data to make sure it is what you are expecting. Also, you may run into a situation where someone sends you invalid XML and you should catch that early on before you execute too much code. – Mike Thomsen Jul 23 '13 at 17:11