Should the PHP files that do processing/validation of data called by AJAX be put in 'include' folder and made inaccessible to the user?

My Question is suppose I have a form which needs validation through AJAX. The AJAX is sending data to to a file called do_ajax_validation.php. Now should I put this file in 'include' folder and name it do_ajax_validation.inc.php and bar it from direct access of the user or should I put it in the directory in which the original开发者_运维问答 form resides?

Edit: And the same question is for the files which do processing of data of forms (or the files which are defined in the action property of the form tag)

You can't prevent the user from directly accessing the file. If you do, you prevent the XMLHttpRequest object from accessing it too!

You should have a reasonable URI for the XHR to access. Beyond that, structure your files in whatever fashion makes the site easiest to maintain.