I am new to PHP so as I am learning I just discovered that you can go directly to a page like domain.com/process.php and the page would still run.
How can I prevent a user from directly accessing the page and make sure they got to the process.php after they have submitted the form?
Simply, use this code :
<?php
if(!isset($_POST['submit']))
{
echo 'Try accessing this page by pressing submit button'. '<br />';
echo "<a href='form.html'>Goto Form Page</a>";
exit();
}
?>
// here 'submit' is the name attribute within your input tag for submit button
/*
It simply means if submit button is not pressed, echo the following message and
exit don't run anything else. You can also use die('Your message here')
instead of exit();
*/
Perhaps you are looking for this? Perhaps there is another or better way of doing this, but I'm not sure.
if(isset($_POST['submit']))
{
///process form
}
in most cases this should work, though some cases it may not, in this case you could add a hidden field:
<input type='hidden' name='submit' />
The hidden field should always be submitted.
Use session to prevent users from directly accessing process.php. Like in index.php use session_start(); $_SESSION['access']="true"; and in process.php page,
session_start();
<?php
if(isset($_SESSION['access'])){
?>
<form >.....your process form here....
<?php
}else{
echo "Direct access deny";
die;
}
Even this can be automated, first go to index page then process page automatically, you can use captcha to avoid it.
Here are 2 examples of how to stop process.php from running both using a combination of a set session and a check on if the request is a POST (others have mentioned just checking submit is set but a bot would only need add that value to its params, but by using a random key the bot would have to visit the form page and get the key at least once, also for some extra security you could unset the session variable so process.php will only run once per form view, this would slow down (but not stop) a brute force or spammer):
Form Page
<?php
session_start();
$_SESSION['process_key']=md5(microtime(true));
?>
<p>Form</p>
<form method="POST" action="process.php">
<input type="hidden" name="key" value="<?=$_SESSION['process_key'];?>">
<p><input type="submit" value="Submit" name="submit"></p>
</form>
process.php
<?php
session_start();
if($_SERVER['REQUEST_METHOD'] =='POST' && isset($_SESSION['process_key']) && $_POST['key'] == $_SESSION['process_key']){
//process form
...
...
unset($_SESSION['process_key']);
}else{
header('Location: ./index.php');
die;
}
?>
Or an alternative method would be to post the form back to the script and include process.php.
<?php
//Form Page
session_start();
define('RUN',true);
if($_SERVER['REQUEST_METHOD'] =='POST' && isset($_SESSION['process_key']) && $_POST['key'] == $_SESSION['process_key']){
//process form
include('process.php');
die;
}else{
$_SESSION['process_key']=md5(microtime(true));
//echo form
?>
<p>Form</p>
<form method="POST" action="">
<input type="hidden" name="key" value="<?=$_SESSION['process_key'];?>">
<p><input type="submit" value="Submit" name="submit"></p>
</form>
<?php
} ?>
Then have at the top of process.php so it cant be run if its not included from another file:
<?php if (!defined("RUN")){header ("Location: ./index.php");} ?>