stackoom
  简体   繁体   中英

PHP Server Side Script

 原文  2015-09-26 17:19:18       php

Question

I have Linux operating system with Doc root(/var/www/html)in which I have an index.html file which has a form for asking user's name and then it puts that details into MYSQL Database(using php script called inside the index.html).

When I open the index.html in browser it presents me with the form to enter the user details and after clicking on submit, the php script is called(browser URL changes to /localhost/insert.php)and it inserts the data into database which is fine.

The issue is that the backend php script is directly available using /localhost/insert.php, so if I(or someone) bypasses the index.html and directly opens the /localhost/insert.php, it runs directly putting some vague data into MYSQL Database.

Any fixes to avoid running the backend(server side php script) directly from the browser.It should ONLY be allowed to run when called from the index.html.

3 answers

solution1
 2 ACCPTED  2015-09-26 17:44:22

It is better to check the request method than check if the $_POST variable is set, as there will be cases that a form will be correctly sent but the $_POST won't be sent.

You can do this by the following: 

if ($_SERVER['REQUEST_METHOD'] != 'POST') {
    header('Location: index.html');    
    die();
}

Then you can do sanitisation to check the fields have been entered, then finally sanitise data. If you are inserting the data into a database be sure to use prepared statements (or at the very least sanitise your data inputs using a real escape string function ). Also make sure you prevent XSS injections by using htmlspecialchars .

solution2
 1  2015-09-26 17:23:11

You need to bypass processing in insert.php by placing a check and executing only if the request is coming from a POST 

if(!isset($_POST['formValue'])){
exit;
}
?>

formValue is the key being "Post" from your index.html

solution3
 0  2015-09-26 17:33:30

If you are handling things properly, using POST method, then things should work out good. It doesn't matter if the user is trying to access your php script directly. It all depends on your request method. Say for example your form tag goes like this. 

<form action = "index.html" method = "post">

And your submit button goes like this, 

<input type = "submit" id ="submit">

Then in your index.html php script their should be something like this. 

if(isset($_POST['submit'])){
// redirect data to another php script. And in this script, data should be cleaned to prevent Sql injections !! 
}
else 
{echo "invalid request";}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Server side php script not working in Xampp Increment variable and save server side in .php script Server Side Validation using PHP script how to structure server side script with php PHP Server Side Script for C# BackgroundUploader Running a PHP script completely on server side How to schedule the execution of a PHP script on the server side? Posting JSON to php script server side fails PHP Client-Side action to run a script server-side Firebase: how to check client side session with php server side script
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM