防止直接访问 php 脚本但允许从 index.html
[英] Prevent direct access to php script but allow from index.html
本文介绍了防止直接访问 php 脚本但允许从 index.html的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个简单的联系表单,用户可以在其中输入他们的数据,然后表单将其发送到mail.php"以传递到那里的电子邮件帐户.mail.php"文件与index.html"一起在我的根目录中,我遇到的问题是我不希望用户能够访问 http://mydomain.com/mail.php 直接通过他们的浏览器,因为这只会发送一个空白表格,并可能被用来向我发送垃圾邮件.试图找出一种仅允许表单访问mail.php"的方法,我感到非常紧张.这是我设置表单的方式:
<div class="row half"><div class="12u"><textarea name="message" required placeholder="Message" rows="6"></textarea></div>
<div class="row"><div class="12u"><ul class="actions"><li><input type="submit" class="button" value="Send Message"/></li>
</表单>
然后我的'mail.php'文件是这样设置的,成功标题是一个带有几行文本的html页面,让用户知道他们的电子邮件已经发送,然后将它们重定向回http://mydomain.com 5 秒后.
我摆弄过 .htaccess 和无数其他东西,但我所做的一切似乎都不起作用 - 它要么完全阻止页面(因此表单也无法访问它)要么根本不阻止它.我也看过这个 https://stackoverflow.com/a/409515/3366954 但不能弄清楚如何让它工作.我对 html 和 php 很陌生,但直到现在我已经设法弄清楚了.这次我错过了什么?
解决方案
只需向 PHP 脚本添加一些验证即可.例如:
这将防止任何空白提交,而无需您按引用页面进行过滤.作为一般规则,无论如何,您应该始终验证用户输入,因为它是各种麻烦(黑客、错误、通常意外行为)的根源.
I have a simple contact form where users input their data and the form sends it to 'mail.php' to be passed onto the email account there. The 'mail.php' file is in my root directory alongside 'index.html' and the problem I'm having is that I don't want users to be able to access http://mydomain.com/mail.php directly through their browser as this will just send a blank form and could be used to spam me. I'm getting really stressed trying to figure out a way that will only allow 'mail.php' to be accessed by the form. This is how I have the form set up:
<form method="post" action="mail.php">
<div class="row half">
<div class="6u"><input type="text" required autocomplete="off" name="name" placeholder="Name" /></div>
<div class="6u"><input type="email" required autocomplete="off" name="email" placeholder="Email" /></div>
</div>
<div class="row half">
<div class="12u"><textarea name="message" required placeholder="Message" rows="6"></textarea></div>
</div>
<div class="row">
<div class="12u">
<ul class="actions">
<li><input type="submit" class="button" value="Send Message" /></li>
</ul>
</div>
</div>
</form>
Then my 'mail.php' file is set up like so, and the success header is an html page with a few lines of text that lets the user know their email has sent, then redirects them back to http://mydomain.com after 5 seconds.
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];
$formcontent=" From: $name
Message: $message";
$recipient = "me@email.com";
$subject = "Contact Form";
$mailheader = "From: $email
";
mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
header("Location: success");
exit;
?>
I've fiddled around with .htaccess and countless other things but nothing I do seems to work - it will either block the page completely (so that the form can't access it either) or not block it at all. I've also had a look at this https://stackoverflow.com/a/409515/3366954 but couldn't figure out how to get that to work either. I'm quite new to html and php but everything else until now I've managed to figure out. What am I missing this time?
解决方案
Just add some validation to your PHP script. For example:
<?php
if(isset($_POST['name'], $_POST['email'], $_POST['message'])) {
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];
$formcontent=" From: $name
Message: $message";
$recipient = "me@email.com";
$subject = "Contact Form";
$mailheader = "From: $email
";
mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
header("Location: success");
exit;
}
?>
This will prevent any blank submissions, without requiring you to filter by the referring page. As a general rule, you should always validate user input, anyway, because it is a source of all sorts of trouble (hacking, errors, generally unexpectedly behavior).
这篇关于防止直接访问 php 脚本但允许从 index.html的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
