doukuang1950 2015-01-01 18:04
浏览 78
已采纳

拒绝访问服务器上的某些文件

I have a newsletter subscription system and I would like to deny access to some files (such as the script that subscribes the user). The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.

For example, I have the following files:

  • index.html
  • subscribe.php

It should not be possible to access subscribe.php by typing the corresponding URL. However, index.html needs to be able to send the data that was input into a form to subscribe.php.

Here is what I tried so far:

I left index.html in my root directory and moved subscribe.php to the folder /restricted. I added the file .htaccess to the folder restricted. .htaccess just contains: deny from all

This gives me a 403 error when I try to access subscribe.php through the URL but it also gives me the same error when I submit the form in index.html

My question: what does my .htaccess file need to look like to archive what I want and why does what I tried not work?

  • 写回答

1条回答 默认 最新

  • drzbc6003 2015-01-01 18:15
    关注

    The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.

    You are incorrect; that's not consistent with what you say later:

    The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.

    you are not submitting the form; the client's browser is submitting the form with a Web request. Don't think of it like this:

    index.html needs to be able to send the data that was input into a form to subscribe.php.

    That's not what's happening. index.html contains html that, when rendered on the client's browser, instructs the browser where and how to submit the registration form.

    There are a few things you could try:

    • Forms are typically submitted with a POST request. You could write subscribe.php to block GET requests and to expect the appropriate form submission information
    • The Referer [sic] header could be checked to make sure the referring webpage was indeed your 'index.html'; but be warned that this, like any http header with a known value, is trivial to forge.
    • PHP Sessions could be used to track a client's access of index.html before posting a submission form. PHP sessions (typically) use client cookies to store a session 'token' that is then associated on the server side with a hash of information stored in a file or session cache. When programmed well, the client never has access to this data and therefore would only be able to get the session variable 'HasVisitedIndex' or whatever set if you set it for them in the session.

    There are probably other solutions, but as you can see none of them is a complete slam-dunk because of the stateless client-server model of HTTP.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥15 想问一下树莓派接上显示屏后出现如图所示画面,是什么问题导致的
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化