防止直接访问php脚本，但允许从index.html [英] Prevent direct access to php script but allow from index.html

问题描述

我有一个简单的联系表单，用户输入他们的数据，表单发送到mail.php，以传递到那里的电子邮件帐户。 'mail.php'文件位于index.html的根目录下，我遇到的问题是我不希望用户能够访问 http://mydomain.com/mail.php 直接通过他们的浏览器，因为这将发送一个空白的表单，可以用来垃圾邮件我。我真的很强调，试图找出一种只允许mail.php被表单访问的方式。这是我如何设置表单：

I have a simple contact form where users input their data and the form sends it to 'mail.php' to be passed onto the email account there. The 'mail.php' file is in my root directory alongside 'index.html' and the problem I'm having is that I don't want users to be able to access http://mydomain.com/mail.php directly through their browser as this will just send a blank form and could be used to spam me. I'm getting really stressed trying to figure out a way that will only allow 'mail.php' to be accessed by the form. This is how I have the form set up:

<form method="post" action="mail.php">
    <div class="row half">
        <div class="6u"><input type="text" required autocomplete="off" name="name" placeholder="Name" /></div>
        <div class="6u"><input type="email" required autocomplete="off" name="email" placeholder="Email" /></div>
    </div>
    <div class="row half">
        <div class="12u"><textarea name="message" required placeholder="Message" rows="6"></textarea></div>
    </div>
    <div class="row">
        <div class="12u">
            <ul class="actions">
                <li><input type="submit" class="button" value="Send Message" /></li>
            </ul>
        </div>
    </div>
</form>

然后我的'mail.php'文件设置成这样，成功标题是一个html页面，其中包含几行文字，让用户知道他们的电子邮件已发送，然后将其重定向到 http://mydomain.com 5秒后。

Then my 'mail.php' file is set up like so, and the success header is an html page with a few lines of text that lets the user know their email has sent, then redirects them back to http://mydomain.com after 5 seconds.

<?php
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];
$formcontent=" From: $name \n Message: $message";
$recipient = "me@email.com";
$subject = "Contact Form";
$mailheader = "From: $email \r\n";
mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
header("Location: success");
exit;
?>

我已经玩过了.htaccess和无数其他的东西，但没有什么我似乎工作 - 它将完全阻止该页面（这样表单也无法访问该页面），或者根本不阻止它。我也看过这个 https://stackoverflow.com/a/409515/3366954 但不能弄清楚如何使它工作。我是html和php的新手，但到目前为止我已经搞清楚了。这次我错过了什么？

I've fiddled around with .htaccess and countless other things but nothing I do seems to work - it will either block the page completely (so that the form can't access it either) or not block it at all. I've also had a look at this https://stackoverflow.com/a/409515/3366954 but couldn't figure out how to get that to work either. I'm quite new to html and php but everything else until now I've managed to figure out. What am I missing this time?

推荐答案

只需向PHP脚本添加一些验证。例如：

Just add some validation to your PHP script. For example:

<?php
if(isset($_POST['name'], $_POST['email'], $_POST['message'])) {
    $name = $_POST['name'];
    $email = $_POST['email'];
    $message = $_POST['message'];
    $formcontent=" From: $name \n Message: $message";
    $recipient = "me@email.com";
    $subject = "Contact Form";
    $mailheader = "From: $email \r\n";
    mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
    header("Location: success");
    exit;
}
?>

这将防止任何空白提交，而不需要您通过引用页面进行过滤。作为一般规则，您应该始终验证用户输入，无论如何，因为它是各种麻烦的源头（黑客，错误，一般意外的行为）。

This will prevent any blank submissions, without requiring you to filter by the referring page. As a general rule, you should always validate user input, anyway, because it is a source of all sorts of trouble (hacking, errors, generally unexpectedly behavior).

这篇关于防止直接访问php脚本，但允许从index.html的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！