0

Say I have a form on example.com/contact that processes on example.com/submitted. In theory anyone can currently access example.com/submitted directly although this isn't ideal because of the message displayed. There's this question from 7 years ago but the answers in that don't work.

Theoretically the contents of the form page don't matter as long as it was posted. I don't want to have to echo out the contents of the submitted page as it is complete. I just need something simple like if the referrer wasn't example.com/form or POST method.

All I need is to only allow access to example.com/submitted if the user has actually submitted something. I've tried PHP and htaccess methods (PHP preferred) but nothing I've found has worked. Processing on the same page would remove this issue but the submitted page contains entirely different content.

Any advice would be appreciated as I can't find anywhere with a working answer.

learningtoanimate
  • 949
  • 6
  • 22

4 Answers4

1

Have the action of your form on example.com/contact point to example.org/submitted so that the form contents get posted to your submitted page.

Then, on your submitted page, check the method, and redirect to to contact on GET (or better, everything that isn't POST):

if ($_SERVER['REQUEST_METHOD'] !== 'POST')
    header("Location: http://example.com/contact");
else if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST)) {
    // validate input
    // save to your CSV
    // display `submitted` page
}
Polygnome
  • 7,639
  • 2
  • 37
  • 57
  • That should work too but direct access to `example.com/submitted` is still possible. The header replacement doesn't occur. – learningtoanimate Jun 15 '20 at 09:52
  • @learningtoanimate That is a problem with your surrounding code, then. If you do this as an MCVE you'll see that it works. Without seeing your other code, its impossible to say why it doesn't work for you. – Polygnome Jun 15 '20 at 09:53
  • Got it, thank you for posting a solution that works. I just had to place it at the very top of the document. – learningtoanimate Jun 15 '20 at 09:55
  • @learningtoanimate `header()` needs to come before any *output* has occurred. Doesn't stricttly need to be at the top, just before any output is written. – Polygnome Jun 15 '20 at 10:02
0

You can accomplish a check on both the refferer and the request method by doing so:

if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_SERVER['HTTP_REFERER'] == "http://example.com/form") {
    // Your code
}
Anders
  • 105
  • 1
  • 9
  • Unfortunately that doesn't work. It wouldn't even need to check both. Theoretically it could check if it was from the form page and if not send the user there at the top of the code for processing the form. I wonder if the best approach is to just hide the comma if it's directly accessed vs trying to prevent it. – learningtoanimate Jun 15 '20 at 05:36
  • You could possibly just 'include' / 'require' the success page inside the submission page so that its content will show only after the POST data was recieved, that way you stay on the same URL and it will only show that file after the form has been processed. – cyw Jun 15 '20 at 06:00
0

Try this: contact.php

session_start();
...
$_SESSION['form-submitted'] = 0;
if(isset($_POST['submit'])){//use your button value
   //do your stuff
   $_SESSION['form-submitted'] = 1;
   //redirect to submitted file
}

submitted.php

if(isset($_SESSION['form-submitted']) && $_SESSION['form-submitted'] == 1){
   //show content
} else {
   //redirect to contact page
}

This will allow you to catch the get requests and check if the form was not submitted.

Serghei Leonenco
  • 3,478
  • 2
  • 8
  • 16
  • I'm trying to lean away from sessions just because they won't be needed in the vast majority of uses and to reduce compute usage. I'm leaning more towards just having the thanks message without the `, name` if it happens to be directly accessed. – learningtoanimate Jun 15 '20 at 05:41
  • You can try also to redirect with special encoded get parameter, and check them on submitted page – Serghei Leonenco Jun 15 '20 at 05:45
0

Have you tried this one yet ?

if (!isset($_POST)) {
    header("Location: http://example.com/contact");
}
Thien Huynh
  • 559
  • 5
  • 13