Hide sensitive PHP script

Question

0.00/5 (No votes)

See more:

Hey there, I'm a young coder!

I'm making a prototype website builder, and I have a PHP script that is able to create a sub-domain from my form.

Is there any way that I can prevent malicious users from, say, spamming the form? My HTML is as follows:

HTML

<form action="website-build/build.php" method="post">

This would allow people to know the location of the script and subsequently use the inputs as data.

These are my inputs (they are validated through HTML, I just didn't include the pattern value):

HTML

<input name="first_name" type="text" />
<input name="last_name" type="text" />
<input name="email" type="email" />
<input name="cms" type="radio" value="wordpress" />
<input name="cms" type="radio" value="drupal" />
<input name="cms" type="radio" value="joomla" />
<input name="subdomain" type="text" />

The URL would look like: ...build.php?first_name=VALUE&last_name=VALUEemail=VALUE&cms=VALUE&subdomain=VALUE

So how can I stop people from submitting this in the URL (GET) or with a tool (POST) and thereby allowing no access to said script unless used by my website?

I'm thinking the best course of action would be to hide the name attribute of the inputs somehow and then people wouldn't know.

What I have tried:

I thought about deleting the action and having the PHP run in the actual document, but that doesn't help, it does the same thing. I have yet to figure out how to remove the name attribute of the inputs.

Posted 30-Apr-17 7:54am

Member 13162631

Updated 30-Apr-17 11:55am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Patrice T · Answer 1 · 2017-04-30T11:55:00

Quote:
So how can I stop people from submitting this in the URL (GET) or with a tool (POST) and thereby allowing no access to said script unless used by my website?

You can't stop people from doing this.
I am not expert on this, but:
- You can consider that any client side check can be bypassed by malicious user.
- You have to recheck everything in your php script, including all the checks normally done on client side.
- Hiding the script URL will not help because the URL will be used to post the answer, and this can be detected by user.
- One of the thinks you have to check is that the user is legitimate and in a legitimate session.