1

I have made a simple contact form for my website with a validator, so users should enter all inputs before the contact form can be submitted. After submission, the user is directed to a php page, i.e. all contact information will then be send to mail. Unfortunately a user can bypass all the required inputs by just typing in the url of PHP. The result is an email with no inputs.

How can i prevent users access the URL of my PHP file: see current php code below 

<?php
/* Subject and Email Variables */ 
$emailSubject = ''; 
$webMaster = '';
/* Gathering Data Variables */ 
$name = $_POST['Name']; 
$adress = $_POST['Adresse']; 
$email = $_POST['email']; 
$body = <<<EOD <br><hr<br> Name: $name <br> Adresse: $adress <br> Epost: $email <br> EOD; 
$headers = "From: $email\r\n"; $headers = "Content-type: text/html\r\n";    
$success = mail($webMaster, $emailSubject, $body, $headers); 
/* Results rendered as HTML */ 
$theResults = <<<EOD EOD; echo "$theResults";     
?>
IsThisJavascript
  • 1,726
  • 2
  • 16
  • 25
Co.do
  • 17
  • 5
  • Name: $name
    Adresse: $adress
    Epost: $email
    EOD; $headers = "From: $email\r\n"; $headers = "Content-type: text/html\r\n"; $success = mail($webMaster, $emailSubject, $body, $headers); /* Results rendered as HTML */ $theResults = <<     – Co.do Sep 28 '16 at 14:09
  • check if $_POST is set and contains data in your processing file, otherwise redirect the user to your desired file – Sayantan Das Sep 28 '16 at 14:20

1 Answers1

0

For example you could generate some sort of parameter that gets passed to the new PHP page. In case this parameter doesn't get passed (hasn't been generated), you can simply test :

!isset($_GET['sent']) { headers("Location: WHEREVER YOU NEED TO REDIRECT") }
Risikoruk
  • 1
  • 2
  • @ Stefano, you mean this code !isset($_GET['sent']) { headers("Location: WHEREVER YOU NEED TO REDIRECT") } should go after – Co.do Sep 28 '16 at 14:22
  • Maybe an idea to create some sort kind of token validation.. Random string generator: http://stackoverflow.com/a/4356295/5685695 My Idea about your question: 1. Filling in form 2. Submit form 3. Create a random generated string and set this in $_SESSION['validate']. Also send the created key in the $_GET['key'] to page 2. 4. Before sending the email or even before accessing the second page check if $_SESSION['validate'] == $_GET['key'] if it's not then return false or header location back to the first page. I know it's not that secure but it works. It's just an idea! :) – Marvinoo_ Sep 28 '16 at 14:58
  • Marvinoo gave a more elaborate version of my idea, which could work pretty well. I'd skip the idea of generating string as I seem to understand that it's not really about it being "secure", just to be sure that the email actually contains something. A normal user wouldn't then risk skipping this part. Considering this is still PHP of course it has to be placed inside – Risikoruk Sep 28 '16 at 15:41
  • @ Marvinoo. Its not really about being secure but more email containing something indeed. I try to add the line you suggested in my PHP file but it doesn't really work. – Co.do Sep 29 '16 at 08:51
  • You have to send some kind of parameter in order for it to work. Easy example, if your form sends data as POST, add an hidden input field with name "sent", and check in the following page is isset($_POST['sent']) – Risikoruk Sep 29 '16 at 13:09