Think of a related question: is it necessary for the code to make ajax request judgment?-php Tutorial

Think of a question: is it necessary for the code to make ajax requests to determine whether ajax requests have been made before. A new colleague said he had to make a judgment before he noticed this. I checked a lot of sites like Youku, and they didn't make any judgment on ajax. Is this judgment necessary. Ajax? Php has a question: is it necessary for the code to make ajax request judgments?
I have never done any judgment on whether ajax requests are made before.
A new colleague said he had to make a judgment before he noticed this.
I checked many sites like Youku
None of them made any judgment on ajax.
Is this judgment necessary.

Ajax? Php

------ Solution --------------------
It is best to do this. Generally, the data returned by ajax requests must be higher.
------ Solution --------------------
Reference:

Reference: it is best to do this. Generally, the data returned by ajax requests must be higher.
I think it's the best
It's okay not to do it. Previously, we thought that the request results would also be presented.

Why is this restriction not imposed on websites like Youku?

Thank you!

It depends on what the situation is. for example, your website supports the function of publishing a message, which is an ajax request and passing parameters through get. For example, msg. php? Content = test.

If you do not make ajax judgment, and your website is a very popular site (such as Weibo), then I can launch a malicious attack and insert an iframe under my website, the iframe points to msg. php? Content = I was attacked, so once you visit my site, if you don't know, your Weibo has actually updated a message "I was attacked ", this is the most common and simplest csrf attack.

Some serious attacks actually penetrate into the banking process, so I suggest you judge ajax based on your needs. at the very least, you should refer to judge it ~
Some websites are still very vulnerable to this vulnerability. two weeks ago, I also discovered a known vulnerability in large Chinese websites, as long as I post a post in the forum saying that everyone can see it (the address is my own test server url), then the number of votes on this website will automatically increase, many people vote for me without knowing it...

I sincerely suggest you make a judgment ~
------ Solution --------------------
The key depends on the requirements. In the end, the program receives a request and returns a result.
If a reasonable request is foreseeable (an unreasonable situation has been handled at other levels), there is no need to judge at this level.
If it is not foreseeable that it is reasonable, you need to make various judgments even if it is not ajax.
For example, although the client javascript has made a judgment on form submission, it is still unable to determine whether malicious submission is successful.

If the response is for a specific request, such as an API, you must check
As for attacks and the like, isn't ajax not a precaution?

Remember one principle: easy to get in and out