1

I have Linux operating system with Doc root(/var/www/html)in which I have an index.html file which has a form for asking user's name and then it puts that details into MYSQL Database(using php script called inside the index.html).

When I open the index.html in browser it presents me with the form to enter the user details and after clicking on submit, the php script is called(browser URL changes to /localhost/insert.php)and it inserts the data into database which is fine.

The issue is that the backend php script is directly available using /localhost/insert.php, so if I(or someone) bypasses the index.html and directly opens the /localhost/insert.php, it runs directly putting some vague data into MYSQL Database.

Any fixes to avoid running the backend(server side php script) directly from the browser.It should ONLY be allowed to run when called from the index.html.

Improve this question
1
  • The PHP file should be coded so that it does not run unless a $_POST request is sent Commented Sep 26, 2015 at 17:25

3 Answers 3

Reset to default
2

It is better to check the request method than check if the $_POST variable is set, as there will be cases that a form will be correctly sent but the $_POST won't be sent.

You can do this by the following:

if ($_SERVER['REQUEST_METHOD'] != 'POST') {
    header('Location: index.html');    
    die();
}

Then you can do sanitisation to check the fields have been entered, then finally sanitise data. If you are inserting the data into a database be sure to use prepared statements (or at the very least sanitise your data inputs using a real escape string function). Also make sure you prevent XSS injections by using htmlspecialchars.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

woo hoo ! It worked like a charm ! Thanks msja and all the above members ! Really appreciate quick help for this topic
No problem! Chandan, if you agree this answer is correct could you please accept this answer by clicking the empty tick outline underneath the vote buttons? This will help ensure people finding this answer later find the correct one at the top.
Sure..i guess all the answers provided by everyone are working for me
1

You need to bypass processing in insert.php by placing a check and executing only if the request is coming from a POST 

if(!isset($_POST['formValue'])){
exit;
}
?>

formValue is the key being "Post" from your index.html

Improve this answer

2 Comments

Thanks Wes & Syed for your valuable inputs, I'l try it out and get back.
It is a good idea to write your code inline with the PSR standards. In addition to this you should redirect the page to the index page when nothing is posted, this is in case someone bookmarks the successful submission page and want to come back to resend something.
0

If you are handling things properly, using POST method, then things should work out good. It doesn't matter if the user is trying to access your php script directly. It all depends on your request method. Say for example your form tag goes like this.

<form action = "index.html" method = "post">

And your submit button goes like this,

<input type = "submit" id ="submit">

Then in your index.html php script their should be something like this.

if(isset($_POST['submit'])){
// redirect data to another php script. And in this script, data should be cleaned to prevent Sql injections !! 
}
else 
{echo "invalid request";}
Improve this answer

1 Comment

You shouldn't: "redirect data to another php script after cleaning it. To prevent SQL injections." You should do SQL injection sanitisation in the script before executing the query, or better use prepared statements. Redirecting to a different script does nothing as the attacker can then just attack there directly.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.