Hello,

I have a PHP Form script which submits form data to the action page (resultd.php)

Is there anyway to disable people from directly access results.php
results.php has the necessary code which check for submit variable etc.

My very specific question: is there any way I can allow results.php to only to be access from 127.0.0.1 and no one else ?
I am on LAMP platform.

Thx
Sans

I'm not 100% sure exactly what you're asking, but here's what I think:

When a form is submitted, the request comes from the user not the server. If you only allow requests from localhost then no one can use the form unless they happen to be on the local machine your server is running on.

I think what you want to do is
1. Only allow POST requests to results.php
2. Prevent POST requests that did not originate from the intended form from being processed.

The first one is simple,

PHP Code:

if($_SERVER['REQUEST_METHOD'] == 'POST')
{
     //process request
} 


For the second one, try using a nonce. When implemented correctly a user (or spam bot) must actually visit the page the form is on in order to have their request processed. Note that a nonce does not entirely prevent automated requests, but they can make them a little more difficult to pull off.

I may have not explained my requirement well.

My form = index.htm
It has <form name="aaa" method="POST" action="result.php">
Everything is working as expected.
I do have a statement like

PHP Code:

if( isset($_POST['Submit']) && ($_POST['Submit'] == "Submit") )
{
....
} 


I just do not want anyone or any BOT to be able to access result.php
I hope I have been able to explain well.

Any ideas ?

PHP Code:

if($_SERVER['REMOTE_ADDR'] == '127.0.0.1')
{

} 


Somehow I don't think that's what you're going for. Why have a public form if you don't want anyone's request to be processed?

I happy to have index.htm accessed by everyone.
I do not want bots or spammers etc to access result.php
The file I want to prevent bots from access is result.php
And these bots are not yahoos and google bots, but some random private bots.

Quote:

I do not want bots or spammers etc to access result.php

You can't stop bots POSTing the page without stopping EVERYONE accessing the page.

REMOTE_ADDR/REMOTE_IP is the client's address or IP NOT the IP of the hosting server

The ONLY way to stop direct POSTing to the receiving page is to have the form generate a unique ID that has to be present in the POST data for it to be accepted.

Quote:

Originally Posted by chrishirst

The ONLY way to stop direct POSTing to the receiving page is to have the form generate a unique ID that has to be present in the POST data for it to be accepted.

Just to clarify, a nonce accomplishes this.

Can't something be done using .htaccess
On similar lines as some scripts which block direct access of images.

A quick search yielded this:
http://www.selfseo.com/story-18469.php

Will something like this help ?

Quote:

Originally Posted by rsgs

A quick search yielded this:


Will something like this help ?

No.


........

Quote:

Originally Posted by NullPointer

Just to clarify, a nonce accomplishes this.

Absolutely (and I should have added that fact)

A good method to use is to generate a random token in the page before the form processing page and save that token in the session and also pass it along with the post form data. Your processing script must see that a session token is set, it exists in the post data, and that it matches the session token before processing can take place.

I am doing something similar using a form variable.
my idea is to prevent direct access as server level.
Any help using htaccess?

Forget .htaccess: you've been given two simple methods of doing it - use one of them!