hide php file url in html form submit

Question

<form action="/path/hello.php" name='myForm' method='post'>
<!--  onChange="ajaxFunction();"  -->
<input type= "text"  name="user" id= "txtname" /><br />
<!-- <input type="text" name="user2" id="txtname2" /> -->
<input type='submit' name = "click"  />
</form>

Noweveryone who looks at my html source code will know where this php file is located and will know how to call it. How can i stop this ?

ZOMG... people can look at the address bar and see how to access the page that has this form. RUN FOR THE HILLS! — Marc B, Apr 13 '11 at 03:54

Ryan · Accepted Answer · 2011-08-01T14:48:12.990

If you handle the POST request to /path/hello.php properly, it shouldn't matter whether someone accesses it manually. Just make sure you are checking for things like the existence of $_POST['click'] and any other POST data you expect to exist, clean it, and proceed as normal.

If someone were to call /path/hello.php with spoofed POST data, then how would that be any different than them submitting your own form? There's no need to modify the script's visibility.

Furthermore, if your fear is that someone would be able to view the source of your PHP scripts--don't. The only thing a user would be able to see if they made an HTTP request to your PHP script would be the rendered HTML.

However, even if they could--why wouldn't you want someone to see your source (of course, barring situations where you might have sensitive configuration data within a PHP file)

isn't there a method to fool the user ? Something like adding a url rule in htaccess file ? — crowso, Apr 13 '11 at 04:05

score 3 · Answer 2 · answered Apr 13 '11 at 04:00

3

You can't stop it. If you're going to tell the browser where the form is, you have to put the address in the HTML somewhere and once you do that anyone can see it.

It really shouldn't make any difference though, as your script should be able to cope with whatever values are sent to it. You can't blindly trust the data from the client in any case, so you need to verify the data sent is what you're expecting - no matter whether that's data sent by filling in your form as normal or someone calling it directly.

answered Apr 13 '11 at 04:00

Michael Low

24,276
16
82
119

if you know the absolute path of the script then can't the user download it ? – crowso Apr 13 '11 at 04:03
Presuming you've got PHP setup correctly, no they can't. All they'll see is the output of the hello.php script (or a blank page if it has no output), they can't see the PHP source code. Try typing the path directly in the browser yourself to see. – Michael Low Apr 13 '11 at 04:11

score 1 · Answer 3 · answered Feb 01 '13 at 02:42

I can give a good example for why you would want to do this. You may have a service and offer it to a 3rd party, however in order to make this work there is some important configurable data that may come exposed. Here is an example

You own a website and let's say you want to create some type advertising campaign on your website but your "client" wants to advertise this the same thing on their website but the data needs to go into your email database.

you may not want them to know who you use
those services may require you to add account number or some type of identifying parameter towards your account.

May not be a big deal but still could be a security risk. So if you divert or mask it can prevent some of it.

score 0 · Answer 4 · answered Apr 13 '11 at 04:00

There is no way to avoid this other than leave off action all together. The form will then submit to the current URL.

In any case, why are you worried about someone accessing the script? If you've written it correctly, no information should be exposed, and, no, they will not know how to "call" it - unless by calling it you mean simply accessing it in the browser. If by simply accessing it in the browser, sensitive information is displayed, you've got some serious problems on your hands.

score 0 · Answer 5 · answered Apr 13 '11 at 04:10

0

I think your question is that by showing these paths that people will be able to actually view the source of the php file. That is not possible because it is being rendered by the php engine you are using. You have nothing to fear here.

answered Apr 13 '11 at 04:10

Wes

6,455
3
22
26

score -1 · Answer 6 · answered Aug 28 '12 at 11:42

Sorry, this isn't an answer, but a general observation on this same subject...

I have also experienced this and, seem to know where the OP is coming from...

I have seen a number of large CMS where form "actions" don't show the script... almost as if it points to a "friendly" URL...

Such as <form name="contactform" method="post" action="http://example.com/contact/send-contact">

As can be seen the extension is missing but the form is processed correctly...

I guess the htaccess could hide the extensions but some have a mix of visible URLs for standard pages and some "friendly" URLs for other content (including forms).

I'm not sure how these work...

score -1 · Answer 7 · edited May 23 '17 at 12:15

It is sometimes considered best practice to keep .php files above the root directory to protect against the rare occurrence of php being configured incorrectly on the server and displaying php code to the client.

All you have to do is create a proxy script and post to that. I store the action in a hidden field so that I don't need multiple proxy scripts. I can't post the source code because I would be duplicating my answer on another post. You can find it here: https://stackoverflow.com/a/36941336/2452680

score -1 · Answer 8 · answered Jun 08 '17 at 05:39

-1

you can first give an action to page1 and in page 1 you can get the data and redirect and post the data to page2. if you are using phpin page1 you can use curl and options to put data and execute it.

answered Jun 08 '17 at 05:39

k najafi

1
2

hide php file url in html form submit

8 Answers8