仅允许从表单而不是直接访问PHP脚本 [英] Only allow access to PHP scripts from a form, not directly

问题描述

作为PHP的新手，我可能并没有采用正确的形式，但是这种方式在某种程度上对我有用.以下是我的设置/

Being a novice with PHP, I may not be taking the correct route with forms but this way works for me, up to a point. Below is an example of my setup/

我在www.foo.com/add.php上有一个表单，该表单需要管理员才能登录到会话.该表单将数据插入数据库.提交后，将操作设置为 action ="scripts/add.php" ，然后使用PHP标头函数将其重定向到 www.foo.com/done.php .

I have a form at www.foo.com/add.php, which needs an admin to be logged in to the session. The form inserts data into a database. Once it is submitted, the actions is set to action="scripts/add.php" and then that is redirected using a PHP header function to www.foo.com/done.php.

我想知道的是，您是否可以拒绝直接访问脚本文件，例如如果您在网络浏览器中转到脚本文件，它是否可以在数据库中输入空行或可能导致其他一些安全问题?

What I want to know is, can you deny access to the script file directly, e.g. if you go to the script file in a web browser it could enter an empty row into the database or possibly cause some other security issues?

推荐答案

如果表单是使用 POST 方法提交的( method ="post" >< form> )，您仍然可以仅在POST请求上执行脚本，只需在顶部添加以下代码即可:

If the form is submitted using POST method (with attribute method="post" in <form>), you can still execute your script only on POST requests, by adding this at the top:

 if ($_SERVER['REQUEST_METHOD'] != 'POST') {
   exit;
 }

这篇关于仅允许从表单而不是直接访问PHP脚本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！