I build a PHP script to send emails (based on Amazon SES).
So I can make a GET or POST Ajax call to my PHP script:
envoi.php?nom=John&[email protected]
triggers an email to be sent to [email protected].
My website has a registration form which on submit makes a jquery ajax call to the PHP script (website and PHP script are on the same server). I use the script also for other events.
Now I am concerned that this script could obviously be abused if anyone gets hold of its URL.
How can I secure the access to this script?
You could use a captcha to protect access to this script and make abuses a little harder.
Step1: When the user opens the registration form, from which he can send mail and passes captcha, set a $_SESSION
parameter.
$_SESSION["mail_allowed"] = true;
Step2: The request is sent as usual to
envoi.php?nom=John&[email protected]
Step3: Finally, in the mail script, do something like the following:
if($_SESSION["mail_allowed"]){
$_SESSION["mail_allowed"] = false;
//send mail
}
else{
die('File cannot be executed directly');
}
This way, the user is allowed to send mail once he opens your page, but cannot execute the mailer script directly.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With