I'm currently coding an intranet which is also accessible by the internet. With jQuery I managed that when the user types his email in the login screen, jQuery requests a PHP page (e.g. picture.php?u=username) and his profile picture appears, so he can check his. How can I prevent that a hacker directly calls my picture.php with all possible emails and checks if they exist? Should I delete this feature?
You could return a picture (in the php page) of a random user when the email does not exist so that the hacker can't see if an account with that email address exists.