Forum Moderators: coopster
I sent an email to myself with a direct link to a PHP contact form script I wrote to send emails from my site. This is visible in source code of my pages in the 'Form action'.
Obviously enough, I could right-click the link and download the script which contained my destination email address and all the other information I don't want people seeing.
Is there any way of stopping this or even masking the form action? It completely leaves the script available to anyone to download and bots and abuse.
I guess any solution is true for any files you don't want people downloading directly right?
Thanks
If you are however including these PHP files into other ones, and they have a non-php extension like .inc, then yes, your files will be visible and downloadable.
Simply rename your files so they are .php files and you will be fine.
If they are .php and you can download, abandon the host immediately and setup some sort of holy ritual to expel them from this world.
If you are really paranoid, then set a variable in the main PHP file that includes others to to something like,
$isIncluded = true;
Then, in each include put at the top,
if (!isset ($isIncluded)) { exit (); }
As you say, the extension .php conceals any php scripting, so that's one less heart attack for today.
Sekka - thanks for the heads up on securing things even further.
