dougan1884 2014-03-01 03:14
浏览 47
已采纳

阻止直接访问php脚本,但允许从index.html

I have a simple contact form where users input their data and the form sends it to 'mail.php' to be passed onto the email account there. The 'mail.php' file is in my root directory alongside 'index.html' and the problem I'm having is that I don't want users to be able to access http://mydomain.com/mail.php directly through their browser as this will just send a blank form and could be used to spam me. I'm getting really stressed trying to figure out a way that will only allow 'mail.php' to be accessed by the form. This is how I have the form set up:

<form method="post" action="mail.php">
    <div class="row half">
        <div class="6u"><input type="text" required autocomplete="off" name="name" placeholder="Name" /></div>
        <div class="6u"><input type="email" required autocomplete="off" name="email" placeholder="Email" /></div>
    </div>
    <div class="row half">
        <div class="12u"><textarea name="message" required placeholder="Message" rows="6"></textarea></div>
    </div>
    <div class="row">
        <div class="12u">
            <ul class="actions">
                <li><input type="submit" class="button" value="Send Message" /></li>
            </ul>
        </div>
    </div>
</form>

Then my 'mail.php' file is set up like so, and the success header is an html page with a few lines of text that lets the user know their email has sent, then redirects them back to http://mydomain.com after 5 seconds.

<?php
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];
$formcontent=" From: $name 
 Message: $message";
$recipient = "me@email.com";
$subject = "Contact Form";
$mailheader = "From: $email 
";
mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
header("Location: success");
exit;
?>

I've fiddled around with .htaccess and countless other things but nothing I do seems to work - it will either block the page completely (so that the form can't access it either) or not block it at all. I've also had a look at this https://stackoverflow.com/a/409515/3366954 but couldn't figure out how to get that to work either. I'm quite new to html and php but everything else until now I've managed to figure out. What am I missing this time?

  • 写回答

3条回答 默认 最新

  • doujiu4643 2014-03-01 03:18
    关注

    Just add some validation to your PHP script. For example:

    <?php
if(isset($_POST['name'], $_POST['email'], $_POST['message'])) {
    $name = $_POST['name'];
    $email = $_POST['email'];
    $message = $_POST['message'];
    $formcontent=" From: $name 
 Message: $message";
    $recipient = "me@email.com";
    $subject = "Contact Form";
    $mailheader = "From: $email 
";
    mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
    header("Location: success");
    exit;
}
?>

    This will prevent any blank submissions, without requiring you to filter by the referring page. As a general rule, you should always validate user input, anyway, because it is a source of all sorts of trouble (hacking, errors, generally unexpectedly behavior).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 程序不包含适用于入口点的静态Main方法
  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
  • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 ubuntu子系统密码忘记