Running A Script In Private Folder

[biff]

howdy partners,

 

I'd like to put my php mail script in a private folder for obvious reasons so that the outside world (email scammers) can't access and abuse it.

 

How can I get the info from a form into a php script in a private/password protected folder and have it send me the form info?

 

thanks mucho

[TCH-Bruce]

Can't be done as far as I know since to run the form processor it has to have world access to it.

 

You might want to look at Ultimate Form Mail

[biff]

Thanks a bundle Bruce

[owatagal]

I run my contact scripts from outside public_html, so it can be done.

 

In my case--

 

I created a folder outside of public_html--let's call it secret_folder. Inside that folder, I have a file called process_form.php -- this is the script that handles checking and then sending all the form data to me.

 

In public_html, I have my contact folder and it only has an index file. A stripped-down version of that file would look something like this:

 

><?php
if ($_POST['submit'] == 'Send It On') {

include '/home/mycpanelname/secret_folder/process_form.php';

} else {

$showThis = '
	<p>I love comments! Send some to me!</p>

   <form method="post" action="/contact/index.php">
   Name: <input name="name" /><br />
   Email: <input name="email" /><br />
   Comments: <br />
   <textarea name="comments" rows="10" cols="50"></textarea>
   <input type="submit" name="submit" value="Send It On" />
   </form>';

}
?>

<html>
<head>
<title>My Contact Form</title>
</head>
<body>
<h1>Contact Form</h1>

<php echo $show_this; ?>

</body>
</html>

 

Basically, the idea is that the script first checks to see if the submit button was pressed--did the visitor just send data in? If so, the script will include process_form.php from my secret folder. process_form.php checks all the form data, verifies a couple things, and then emails the comments to me. It also builds a variable called $show_this that contains a thank you message and, I think, a copy of the message the visitor sent to me (been a while since I tested that...).

 

But if the submit button hasn't been pressed, the script will instead create $show_this with a message inviting people to send me comments and providing a form to do so.

 

And then in the HTML portion of the page, all I really have to do is echo out the $show_me variable -- it'll either be a thank you note for sending me comments, or a form and invitation to do so.

 

The server doesn't care where you include files from when it goes to process them, so it's ok to throw the meat and bones of the script outside public_html. If you're using a premade script, though, you'd want to be really careful about moving parts of the script around so you don't break it. It's definitely possible to do, though.

 

In all honesty, though, the location of the script is the least important thing in securing it from abuse. A badly-written script can be abused no matter where it is on the server. I would worry more about making sure the processing part of the form does thorough checks on all the user-submitted data, and make sure there aren't any holes in the script someone could manipulate, before I'd worry about where that processing script was actually located. A well-written script in public_html is 100% safer than a badly-written script in a private folder.

Edited December 17, 2005 by owatagal

[TCH-Bruce]

In all honesty, though, the location of the script is the least important thing in securing it from abuse. A badly-written script can be abused no matter where it is on the server. I would worry more about making sure the processing part of the form does thorough checks on all the user-submitted data, and make sure there aren't any holes in the script someone could manipulate, before I'd worry about where that processing script was actually located. A well-written script in public_html is 100% safer than a badly-written script in a private folder.

Correct! And it was the processing part of the form I was referring too. Also the reason I suggested UFM.