How to secure the use of a PHP script that triggers emails?

Question

I build a PHP script to send emails (based on Amazon SES).

So I can make a GET or POST Ajax call to my PHP script:

envoi.php?nom=John&email=john@domain.com

triggers an email to be sent to john@domain.com.

My website has a registration form which on submit makes a jquery ajax call to the PHP script (website and PHP script are on the same server). I use the script also for other events.

Now I am concerned that this script could obviously be abused if anyone gets hold of its URL.

How can I secure the access to this script?

Answer 1

Step1: When the user opens the registration form, from which he can send mail and passes captcha, set a $_SESSION parameter.

$_SESSION["mail_allowed"] = true;

Step2: The request is sent as usual to

envoi.php?nom=John&email=john@domain.com

Step3: Finally, in the mail script, do something like the following:

if($_SESSION["mail_allowed"]){
    $_SESSION["mail_allowed"] = false;
    //send mail  
}
else{
    die('File cannot be executed directly');
}

This way, the user is allowed to send mail once he opens your page, but cannot execute the mailer script directly.

Answer 2

Yes, this could easily be abused. There's no solid solution, but a couple ways to protect it come to mind:

• Only allow the link to work for authenticated users that you are sure aren't bots (captcha?)
• Prevent the same IP address from issuing repeated requests.

Answer 3

You could use a captcha to protect access to this script and make abuses a little harder.