doukuang1950 2015-01-01 18:04
浏览 78
已采纳

拒绝访问服务器上的某些文件

I have a newsletter subscription system and I would like to deny access to some files (such as the script that subscribes the user). The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.

For example, I have the following files:

  • index.html
  • subscribe.php

It should not be possible to access subscribe.php by typing the corresponding URL. However, index.html needs to be able to send the data that was input into a form to subscribe.php.

Here is what I tried so far:

I left index.html in my root directory and moved subscribe.php to the folder /restricted. I added the file .htaccess to the folder restricted. .htaccess just contains: deny from all

This gives me a 403 error when I try to access subscribe.php through the URL but it also gives me the same error when I submit the form in index.html

My question: what does my .htaccess file need to look like to archive what I want and why does what I tried not work?

  • 写回答

1条回答 默认 最新

  • drzbc6003 2015-01-01 18:15
    关注

    The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.

    You are incorrect; that's not consistent with what you say later:

    The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.

    you are not submitting the form; the client's browser is submitting the form with a Web request. Don't think of it like this:

    index.html needs to be able to send the data that was input into a form to subscribe.php.

    That's not what's happening. index.html contains html that, when rendered on the client's browser, instructs the browser where and how to submit the registration form.

    There are a few things you could try:

    • Forms are typically submitted with a POST request. You could write subscribe.php to block GET requests and to expect the appropriate form submission information
    • The Referer [sic] header could be checked to make sure the referring webpage was indeed your 'index.html'; but be warned that this, like any http header with a known value, is trivial to forge.
    • PHP Sessions could be used to track a client's access of index.html before posting a submission form. PHP sessions (typically) use client cookies to store a session 'token' that is then associated on the server side with a hash of information stored in a file or session cache. When programmed well, the client never has access to this data and therefore would only be able to get the session variable 'HasVisitedIndex' or whatever set if you set it for them in the session.

    There are probably other solutions, but as you can see none of them is a complete slam-dunk because of the stateless client-server model of HTTP.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 对于相关问题的求解与代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
  • ¥15 保护模式-系统加载-段寄存器
  • ¥15 电脑桌面设定一个区域禁止鼠标操作
  • ¥15 求NPF226060磁芯的详细资料
  • ¥15 使用R语言marginaleffects包进行边际效应图绘制