The Little Guy Posted July 18, 2009 Share Posted July 18, 2009 I usually have a directory structure where I place files that only do processing such as form processing, in a directory called "Process", for example: <form action="/process/action.php" method="post"> Is there any way I could make it so I could make it harder for people to access the file "/process/action.php"? This would help stop spam bots from accessnig this file directly, or some person from accessing the file directly. I am pretty sure that this file can not be accessed from above the root. I am not 100% sure of a good method of securing these files that only process user input data. any good suggestions? Quote Link to comment Share on other sites More sharing options...
AwptiK Posted July 18, 2009 Share Posted July 18, 2009 You can change the file/directory permissions so that only the server has access to the folder and it's contents. On CPanel i'm pretty sure you can right-click a folder/file and click "Change Permissions". Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted July 18, 2009 Author Share Posted July 18, 2009 Wouldn't the server always be the one accessing the files? Quote Link to comment Share on other sites More sharing options...
mattal999 Posted July 18, 2009 Share Posted July 18, 2009 Yes, but he means that only the server itself can access the file. For example, a PHP login would hide the contents from the outside world, the same principle applies to the server. It can view the files, because it is always 'logged in', but nobody else can, because they are not 'logged in', and cannot 'log in'. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted July 18, 2009 Author Share Posted July 18, 2009 What do you mean by "hide the contents"? Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted July 18, 2009 Share Posted July 18, 2009 You can't do anything like that. The browser needs to be able to make a request to /process/action.php in order to submit the form. Yes, you can prevent access to things the browser/user doesn't need access to -- for example, a database connection script -- but you need access to this file. Prevent spam bots with a with the use of a captcha. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted July 18, 2009 Author Share Posted July 18, 2009 You can't do anything like that. The browser needs to be able to make a request to /process/action.php in order to submit the form. Yes, you can prevent access to things the browser/user doesn't need access to -- for example, a database connection script -- but you need access to this file. Prevent spam bots with a with the use of a captcha. That is what I thought. I know that $_server['HTTP_REFERRER'] can be modified, but would using that, and a few extra "invisible" hoops for an average user, such as a required timestamp work? Is there a PHP hash, that is created uniquely on a sever, for example md5 will have the same ending hash on the string "abcd", no matter what server it is on. Is there a php hash function that will make a hash the exact same every time on one server, but as soon as another server tries the hash on "abcd" it will get a completely different output, yet it will be the same every time on that server. Does this paragraph make sense? Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted July 19, 2009 Share Posted July 19, 2009 I know that $_server['HTTP_REFERRER'] can be modified, but would using that, and a few extra "invisible" hoops for an average user, such as a required timestamp work? No. Using the referrer for anything other than information gathering purposes is a bad idea imo. Some firewalls have been known to block the sending of the referrer. You shouldn't do anything to block bots that could legitimate users. Does this paragraph make sense? Not particularly. Yes, you could add some salt to the input for any given hashing algorithm to allow it to produce a different output, but what would be the point? If you're attempting one of these token things whereby there is a hidden field in the form containing a hash which is also set in the session then sure, it makes things harder for a malicious user; but it is not fool proof. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.