Reputation: 285
Deny access to php file except to process HTML forms
I am using PHPMailer to email myself data from HTML forms submitted on my website. So I have this file mydomain.com/mail/mailer.php that must contain the password to my email account. So I want to deny access to mydomain.com/mail/ to protect this file and generally keep people out of there. When I do this with "Deny from all" in .htaccess in mydomain.com/mail/, my forms stop working due to a 403 error.
How do I let the HTML forms at mydomain.com be processed while denying access to everyone else?
My mailer script redirects to a success page outside of my mail subdirectory, so that is not a problem. The 403 is happening before the script succeeds in emailing me the form data.
I already tried "Order Allow,Deny / Deny from all / Allow from mydomain.com". I also got a 403 before any email was sent.
Upvotes: 0
Views: 538
Answers (2)
Reputation: 4228
- Just because the code contains your password does not mean that people can see it. If someone goes to that URL the code executes, it doesn't just dump the code to the browser if that's what you are worried about.
- If you have forms that POST/GET to this script then of course the script must be available (not protected via .htaccess deny rules etc.)
- Having said all that you can simply split the configuration into a separate file that you include (eg. config.php) and then protect that file:
EG.
/myfolder/myform.php
/myfolder/config.php
In the case above, you can have myform.php include 'config.php' and then add a DENY rule to your .htaccess preventing any access to the config.php
Example /myfolder/.htaccess entry:
<Files "config.php">
Order deny,allow
Deny from all
</Files>
Upvotes: 1
Reputation: 198436
You can't deny mailer.php and expect it to work. The whole point of its existence is having people be directed to it when they submit the form. If your web browser is correctly configured and executes PHP code as it should, and no other script on your web has security flaws, and your system is properly patched and up-to-date, and your passwords are secure and of high enough quality, it is reasonably certain to expect that no-one but yourself will see the source code of your file.
Upvotes: 0
Related Questions
- Prevent PHP code from executing if form was not submitted
- Block access to PHP file using .htaccess
- How do I limit the actions of a PHP file to its directory only?
- restrict access on php file from all except one file
- Prevent direct access to php script but allow from index.html
- Only allow access to PHP scripts from a form, not directly
- Process the form if the action reference to a php file in a deny from all directory
- Preventing direct access to php files
- prevent brower access to a form handler php file
- Allow PHP script in protected directory