Data Processing Methods

[The Little Guy]

I usually have a directory structure where I place files that only do processing such as form processing, in a directory called "Process", for example:

 

<form action="/process/action.php" method="post">

 

Is there any way I could make it so I could make it harder for people to access the file "/process/action.php"? This would help stop spam bots from accessnig this file directly, or some person from accessing the file directly. I am pretty sure that this file can not be accessed from above the root. I am not 100% sure of a good method of securing these files that only process user input data. any good suggestions?

[AwptiK]

You can change the file/directory permissions so that only the server has access to the folder and it's contents. On CPanel i'm pretty sure you can right-click a folder/file and click "Change Permissions".

[The Little Guy]

Wouldn't the server always be the one accessing the files?

[mattal999]

Yes, but he means that only the server itself can access the file. For example, a PHP login would hide the contents from the outside world, the same principle applies to the server. It can view the files, because it is always 'logged in', but nobody else can, because they are not 'logged in', and cannot 'log in'.

[The Little Guy]

What do you mean by "hide the contents"?

[GingerRobot]

You can't do anything like that. The browser needs to be able to make a request to /process/action.php in order to submit the form. Yes, you can prevent access to things the browser/user doesn't need access to -- for example, a database connection script -- but you need access to this file.

 

Prevent spam bots with a with the use of a captcha.

[The Little Guy]

You can't do anything like that. The browser needs to be able to make a request to /process/action.php in order to submit the form. Yes, you can prevent access to things the browser/user doesn't need access to -- for example, a database connection script -- but you need access to this file.

 

Prevent spam bots with a with the use of a captcha.

 

That is what I thought.

 

I know that $_server['HTTP_REFERRER'] can be modified, but would using that, and a few extra "invisible" hoops for an average user, such as a required timestamp work?

 

Is there a PHP hash, that is created uniquely on a sever, for example md5 will have the same ending hash on the string "abcd", no matter what server it is on. Is there a php hash function that will make a hash the exact same every time on one server, but as soon as another server tries the hash on "abcd" it will get a completely different output, yet it will be the same every time on that server. Does this paragraph make sense?

[GingerRobot]

I know that $_server['HTTP_REFERRER'] can be modified, but would using that, and a few extra "invisible" hoops for an average user, such as a required timestamp work?

 

No. Using the referrer for anything other than information gathering purposes is a bad idea imo. Some firewalls have been known to block the sending of the referrer. You shouldn't do anything to block bots that could legitimate users.

 

Does this paragraph make sense?

 

Not particularly. Yes, you could add some salt to the input for any given hashing algorithm to allow it to produce a different output, but what would be the point? If you're attempting one of these token things whereby there is a hidden field in the form containing a hash which is also set in the session then sure, it makes things harder for a malicious user; but it is not fool proof.