securing ajax so only the page that called it can get results.
I have noticed an increase in hits to just my getresults.php file but no where near as many hits to the page that should be calling the getresults ajax file.
I also added some code to my ajax file to record the requests made and found that there are a lot of completely random requests. Some of which are completely out of character and no where near what should be entered in the auto complete fields on the main public webpage.
My page asks for a postcode and then the road and the road field shows suggestions based on the characters entered after the third one is entered.
But my ajax file getresults.php which is called from the road field in the main webpage, is hit 1000's more than the main home page. which lead me to thinking that someone hijacked the page to grab all data in the database. This seem to be the case. As the search terms used are no where near what they should be and cause a fair amount of load from multiple ip's. when they do get close then my 'like' search on mysql allows the database content to show results and there are loads being sent back again causing load on the server. The site is not that popular enough for this sort of load or interest and i really need to find a way to stop people that use a dummy form on their own site and having the POST sent to my getresulsts.php page.
What methods would people suggest to use to prevent someone doing this unless they first came from the main page that my form is on. Using a session to store the date might work for a moment or two but all they do is visit the main page and keep it open and then go back to their own page they created and continue where they left off from. I know and I tried this from a different site I have and i was able to hack in and get pages of results from search terms that i know would be in the tables.