拒绝访问服务器上的某些文件
I have a newsletter subscription system and I would like to deny access to some files (such as the script that subscribes the user). The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.
For example, I have the following files:
- index.html
- subscribe.php
It should not be possible to access subscribe.php by typing the corresponding URL. However, index.html needs to be able to send the data that was input into a form to subscribe.php.
Here is what I tried so far:
I left index.html in my root directory and moved subscribe.php to the folder /restricted. I added the file .htaccess to the folder restricted. .htaccess just contains: deny from all
This gives me a 403 error when I try to access subscribe.php through the URL but it also gives me the same error when I submit the form in index.html
My question: what does my .htaccess file need to look like to archive what I want and why does what I tried not work?
我有一个简报订阅系统,我想拒绝访问某些文件(例如订阅该文件的脚本) 用户)。 我遇到的问题是我需要拒绝来自外部的任何人访问文件,但脚本需要相互访问。 p>
例如,我有以下内容 文件: p>
- 的index.html LI>
- subscribe.php LI>
UL>
不应该通过键入相应的URL来访问subscribe.php。 但是,index.html需要能够将输入到表单中的数据发送到subscribe.php。 p>
这是我到目前为止尝试的内容: p> \ n
我将index.html保留在我的根目录中,并将subscribe.php移动到文件夹/ restricted。 我将文件.htaccess添加到受限制的文件夹中。 .htaccess只包含:
拒绝所有 code> p>当我尝试通过URL访问subscribe.php时,这给了我403错误,但它也给了我同样的错误 我在index.html中提交表单时出错 p>
我的问题:我的.htaccess文件需要什么来存档我想要的内容以及为什么我尝试不起作用? p> div>
The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.
You are incorrect; that's not consistent with what you say later:
The problem I ran into is that I need to deny access to the files for anyone coming from outside, but the scripts need to have access to each other.
you are not submitting the form; the client's browser is submitting the form with a Web request. Don't think of it like this:
index.html needs to be able to send the data that was input into a form to subscribe.php.
That's not what's happening. index.html contains html that, when rendered on the client's browser, instructs the browser where and how to submit the registration form.
There are a few things you could try:
- Forms are typically submitted with a POST request. You could write
subscribe.phpto block GET requests and to expect the appropriate form submission information - The Referer [sic] header could be checked to make sure the referring webpage was indeed your 'index.html'; but be warned that this, like any http header with a known value, is trivial to forge.
- PHP Sessions could be used to track a client's access of index.html before posting a submission form. PHP sessions (typically) use client cookies to store a session 'token' that is then associated on the server side with a hash of information stored in a file or session cache. When programmed well, the client never has access to this data and therefore would only be able to get the session variable 'HasVisitedIndex' or whatever set if you set it for them in the session.
There are probably other solutions, but as you can see none of them is a complete slam-dunk because of the stateless client-server model of HTTP.