doukuang1950
doukuang1950
2015-01-01 18:04
浏览 54
已采纳

拒绝访问服务器上的某些文件

I have a newsletter subscription system and I would like to deny access to some files (such as the script that subscribes the user). The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.

For example, I have the following files:

  • index.html
  • subscribe.php

It should not be possible to access subscribe.php by typing the corresponding URL. However, index.html needs to be able to send the data that was input into a form to subscribe.php.

Here is what I tried so far:

I left index.html in my root directory and moved subscribe.php to the folder /restricted. I added the file .htaccess to the folder restricted. .htaccess just contains: deny from all

This gives me a 403 error when I try to access subscribe.php through the URL but it also gives me the same error when I submit the form in index.html

My question: what does my .htaccess file need to look like to archive what I want and why does what I tried not work?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • drzbc6003
    drzbc6003 2015-01-01 18:15
    已采纳

    The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.

    You are incorrect; that's not consistent with what you say later:

    The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.

    you are not submitting the form; the client's browser is submitting the form with a Web request. Don't think of it like this:

    index.html needs to be able to send the data that was input into a form to subscribe.php.

    That's not what's happening. index.html contains html that, when rendered on the client's browser, instructs the browser where and how to submit the registration form.

    There are a few things you could try:

    • Forms are typically submitted with a POST request. You could write subscribe.php to block GET requests and to expect the appropriate form submission information
    • The Referer [sic] header could be checked to make sure the referring webpage was indeed your 'index.html'; but be warned that this, like any http header with a known value, is trivial to forge.
    • PHP Sessions could be used to track a client's access of index.html before posting a submission form. PHP sessions (typically) use client cookies to store a session 'token' that is then associated on the server side with a hash of information stored in a file or session cache. When programmed well, the client never has access to this data and therefore would only be able to get the session variable 'HasVisitedIndex' or whatever set if you set it for them in the session.

    There are probably other solutions, but as you can see none of them is a complete slam-dunk because of the stateless client-server model of HTTP.

    点赞 评论

相关推荐