block outside server direct access to php files

Forum Moderators: phranque

Message Too Old, No Replies

block outside server direct access to php files

syntych

10:06 am on Mar 5, 2008 (gmt 0)

i have writen a script for sending emails from the contact page of my website and i use a form that posts its data to a php file that does all the work.
In the form i create a cookie and prevent the user to send more than 3 mails per 3 hours but of course a bot can overcome this an use the php file directly.
The php file are in a different directory and i have tried a lot of times blocking direct access to that directory and its files but what i managed to do is block even the site itself use this folder.

how can i block any outside direct access to the folder conataining the php files and prevent executing the scripts directly but only by the html form using .htaccess?

gergoe

10:45 am on Mar 5, 2008 (gmt 0)

Since both the bot and your website does exactly the same thing with that email script (posts form-data), you can not make Apache make a distinction, unless you use the referer header, but that's just not reliable for this (and can be faked as well).

You will need to add server-side logic to both the caller (contact form) page and the email script. The caller should set something, like a session variable, the email script should check for its existence of this variable.

An another way of overcoming this problem is to restrict the allowed recipient in the email script (the recipients are known), and also make sure the parameters of the email script is not containing email headers and things, the most common mistake people used to make is to add the user specified email address into the headers of the email, but that can be 'hacked' if it is not checked to be a valid email address.

Anyway, you should look into forums like PHP Server Side Scripting [webmasterworld.com] and Website Technology Issues [webmasterworld.com], or search on google for keywords like safe email script or sendmail.php.