Secure form submission

Question

So I was just told that having this sort of thing visible whenever someone views the source on your front end is insecure:

<form action="http://www.somedomain.com/form.php" method="post">

Basically, that someone being able to see the php file that the form submits to is dangerous. Is this the case? If so, how do I make my visible source secure while still having the form submit to our hypothetical "form.php"?

Answer 1

Security by obscurity is a good policy in only very select, specific cases. But knowing where forms submit to – that's actually the nature of web forms. There's now way around that.

Even if the URL you submit to is somehow dynamically created for some kind of impression of security – just have a proxy between the browser and the server, and the entire HTTP dialogue is open to be read.

Answer 2

I personally do not see a problem with showing the page which the form submits too, because once the user submits his/her enteries, the action="" will re-direct the user to the page stated anyway, so either way they will see where they will end up. Whether in the URL bar or the form scripts.

Just ensure you sanitize the user-input data before passing it through your database.

Depending what your using for your Database Interaction; there will be functions available to protect you from injection

Answer 3

first of all , php source code can't be viewed unless you restrict access to it via htaccess or other ways , secondly , your front-end source code must always be public because security issues aren't treated from the front to the back-end , thirdly , your php file's source can't be viewed like a css file or javascript code

if you want to restrict direct HTTP access to form.php , you could use .htaccess

i use this solution , some files are marked as somefile.php, but some util files are either stored in a folder or marked as utils.inc.php , so i make sure that i restrict direct access to inc.php files and allow everything else