.hdaccess blocking file isn't playing ball all OK

[netsearchmonkey]

Hi all,

This is a simple situation with a thus far dire result.

I have a contact.php page. This contains the form. I then have a sendemail.php file that actually validates and processes sending the email. This works fine.

I wanted to block access to sendemail.php because if some visitor who likes to experiment comes along and wants to open it directly (by typing in the url) it will show errors (since no variables are being passed from contact.php).

And so do achieve this I did this:

# Deny access to file
<Files sendemail.php>
order allow,deny
deny from all
</Files>

Now. Great and not so great. Great because directly access to sendemail.php isn't possible. Not great because the contact.php cannot access the sendemail.php file to complete sending the email (or let the visitor knows there are form errors etc.).

I was researching into the "allow from XXX" method to add to that above in .htacces but it's not working form me. It will either cause a server 500 error or just not achieve what I need it to do.

Any ideas where my thinking is going wrong? Only contact.php should have the right to open up sendemail.php. No one or no other file needs to.

Thanks in advance,

[netsearchmonkey]

I should also add this:

As mentioned the "allow from <IP address here> method doesn't work so I can't allow my localhost to bypass by "deny all".

Further to the above I can't fix it with an "allow from <IP address>" that works (perhaps different syntax?) because the online web server has a dynamic IP. I guess I could just use the network ID part of the IP address but this isn't too professional as that network ID might have thousands of hosts around the world (i.e. not just the web hosting company).

Is this a catch 22? There's got to be some sneaky way to secure the sendemail.php file without it affecting the website. Only contact.php should have the rights to access it.

Any thoughts guys and gals?

Thanks.

[netsearchmonkey]

Is this a very difficult question? Surely someone knows a thing or two about the topic?

[Arkh]

Let me get this straight.
Your form has "sendemail.php" as action attribute ?

If yes, what you want to do is impossible the way you want to do it.

[netsearchmonkey]

Let me get this straight.
Your form has "sendemail.php" as action attribute ?

If yes, what you want to do is impossible the way you want to do it.

contact.php has the contact form on it where the user fills out the fields (i.e. email address, name, email topic, email message, captcha etc.). This then gets sent to sendemail.php which validates and if all okay sends the email via the PHP STMP method.

It's not vital security wise but if some smart visitors types in website url/sendemail.php the latter page will display but since it's not being passed any variables from contact.php it will display lots of errors on it.

sendemail.php gets the info from contact.php via the POST method.

Due to the above it would be professional to limit access to sendemail.php by anything (any file) and anyone other than by contact.php.

Thanks again.

[Arkh]

Ok. I think you don't understand how browsers work.
When your browser goes on contact.php, it requests contact.php from your server and display the form.
In this form, it learn that whatever is filled must be posted to sendemail.php.
When the user submit the form, the browser requests sendemail.php from your server.
For your server that's two independant queries, there is no link between them. You do not have a permanent connexion between the browser and your server.
So, trying to restrict your script with .htaccess is doomed to fail.

There are some solutions to your problem but they imply some php coding. The best one being to clean your code and instead of doing things with user input without checking anything about them, do some checks. At least, if the values your are expecting are not present redirect the user to your contact.php page with some header magic.

[netsearchmonkey]

Ok. I think you don't understand how browsers work.
When your browser goes on contact.php, it requests contact.php from your server and display the form.
In this form, it learn that whatever is filled must be posted to sendemail.php.
When the user submit the form, the browser requests sendemail.php from your server.
For your server that's two independant queries, there is no link between them. You do not have a permanent connexion between the browser and your server.
So, trying to restrict your script with .htaccess is doomed to fail.

There are some solutions to your problem but they imply some php coding. The best one being to clean your code and instead of doing things with user input without checking anything about them, do some checks. At least, if the values your are expecting are not present redirect the user to your contact.php page with some header magic.

As stated above, all validations checks are in sendemail.php. The problem is not concerned with the contacts page (contact.php) and sendemail.php not working (they work just fine) but rather a user coming along and manually typing in the url to go do sendemail.php directly.

In other words this isn't about fixing a faulty contacts page that isn't processing the user input but rather stopping intruders (for a better phrase) going directly to sendemail.php (typing the url path in their browser's address bar).

Does that make it any clearer?

Thanks.

[Arkh]

What is the problem you have when someone goes directly on sendemail.php ?
If you check that something has been posted before trying to do anything and you display errors stating something is missing, I don't see any problem.

If you want a better intruder experience, you can add a name to your submit button and check if it is set on sendemail.php, if it is not you redirect the page to contact.php.

[netsearchmonkey]

What is the problem you have when someone goes directly on sendemail.php ?
If you check that something has been posted before trying to do anything and you display errors stating something is missing, I don't see any problem.

If you want a better intruder experience, you can add a name to your submit button and check if it is set on sendemail.php, if it is not you redirect the page to contact.php.

The problem is, as stated above, if there are no form variables past to sendemail.php via the POST method then sendemail.php will display errors when it renders the page in the browser window.

What you suggest seems like a good idea. How would the code look for this? Just check for "if XYZ == null or "" then die" .....something along those lines?

[Arkh]

Something like :

Code:

if(!isset($_POST['submitName'])){
  header('Location: contact.php');
  exit(); // Needed so if a browser don't follow redirect headers, the code after is not run
}

[netsearchmonkey]

I've modified your code and it works excellent. Thanks a lot.

Thanks for your help.