I work for a small company (read: three employees) that develops web applications, and we've been consistently using this structure for each page of our apps:
I just feel this way is too insecure: if someone wants to link directly to the page and repeatedly spam it with info, there's little way to stop them. Is there perhaps a better to structure the requests?
This seems pretty good.
For contrast heres what I do (pretty similar)
-A JS file for the AJAX etc
-A PHP classe / functions that process the _POST and _GET data
Thats it really.
The class / functions check for the correct _POST or _GET data and do any other validation checks I need.
From the functions I return a array, which can then be json_encoded and sent back to the JS
This works well for me because the functions can be used for forms that send the same data.