-1

I have a php file for frontend. In this file there are few forms. 

<form name="add3" method="post" id="add3" name="add3" action="add_exec.php" role="form">
</form>

now you can see in action add_exec.php. I want this file not to be execute directly.

I don't want to use .htaccess to achieve this.

Is there anything else we can do to prevent direct execution of add_exec.php file.

Thanks

Edit:

I am not looking for htaccess answer. If my file is in form action attribute then it will consider as include or not? If no then how can i prevent the execution.

Roxx
  • 3,738
  • 20
  • 92
  • 155
  • 1
    http://stackoverflow.com/questions/409496/prevent-direct-access-to-a-php-include-file – Amit Rajput Jan 13 '16 at 04:37
  • thanks for your comment. my question is if we use filename in action section, then does it will consider as include? because i do checked those SO questions. – Roxx Jan 13 '16 at 04:40
  • @dagon I have updated the question. Can you please advice. – Roxx Jan 13 '16 at 04:47
  • add_exec.php is 'executed' when the form is submitted. if you dont want some one typing its url in the browser, check that it has been sent form inputs –  Jan 13 '16 at 04:49
  • Perhaps if you explained the scenario your very obtuse question may make sense. Simple answer delete add_exec.php. It wont execute then – DeveloperChris Jan 13 '16 at 04:54
  • Thanks Dagon. I am checking that form inputs. But I want some specific error msg or error page to show. Because if form inputs are empty then i think it will give error like fill all fields or specific fields. – Roxx Jan 13 '16 at 04:55
  • You want to use javascript then. But it sounds like you are a novice using javascript as your form validator only acts as a warning it will not prevent that php file from being executed with bad input data – DeveloperChris Jan 13 '16 at 04:56
  • @DeveloperChris Scenario is very simple i don't want execution of add_exec.php executed in url browser. add_exec.php will call by form only. – Roxx Jan 13 '16 at 04:57
  • No i am not looking for javascript solution. – Roxx Jan 13 '16 at 04:58
  • you dont want the php to execute. you dont want a redirect in .htaccess you don't want javascript client side processing. clearly you want the form to do nothing at all. If you want just the fields simply remove the form element wrapper – DeveloperChris Jan 13 '16 at 05:00
  • add_exec.php can output any error you like. –  Jan 13 '16 at 05:01
  • @Dagon Agree with you i think i need to add something like if all fields are empty in post then redirect to index page. – Roxx Jan 13 '16 at 05:06
  • First i will try schellingerht answer. – Roxx Jan 13 '16 at 05:09
  • told you that 20 minutes ago - sigh –  Jan 13 '16 at 05:10

2 Answers2

2

It's all about the request type:

Check on the top of add_exec.php the request method:

if ($_SERVER['REQUEST_METHOD'] != 'POST')
    exit('No access!');

Or:

if (!isset($_POST['specific_element_from_form']))
    exit('No access!');
schellingerht
  • 5,726
  • 2
  • 28
  • 56
1

You can prevent accessing a resource (file, image, js, etc) hosted in web server by modifying web server configuration file. In Apache web server, it can be done using apache2.conf or .htaccess file.

<Files add_exec.php>
    Order allow, deny
    Deny from all
</ Files>

If it is not restricted by web server, it can be accessed from direct resource address like below. http://example.com/add_exec.php

But your scenario, POST data should receive to add_exec.php, it should prevent GET method only. So you can check if it is GET or POST and then process your form data.

In your add_exec.php file

if ($_SERVER['REQUEST_METHOD'] == 'GET') {
    exit();
}

// process your form
Pradeep Sanjaya
  • 1,816
  • 1
  • 15
  • 23