How to secure the use of a PHP script that triggers emails?

Question

I build a PHP script to send emails (based on Amazon SES).

So I can make a GET or POST Ajax call to my PHP script:

envoi.php?nom=John&[email protected]

triggers an email to be sent to [email protected].

My website has a registration form which on submit makes a jquery ajax call to the PHP script (website and PHP script are on the same server). I use the script also for other events.

Now I am concerned that this script could obviously be abused if anyone gets hold of its URL.

How can I secure the access to this script?

Answer 1

You could use a captcha to protect access to this script and make abuses a little harder.

Answer 2

Step1: When the user opens the registration form, from which he can send mail and passes captcha, set a $_SESSION parameter.

$_SESSION["mail_allowed"] = true;

Step2: The request is sent as usual to

envoi.php?nom=John&[email protected]

Step3: Finally, in the mail script, do something like the following:

if($_SESSION["mail_allowed"]){
    $_SESSION["mail_allowed"] = false;
    //send mail  
}
else{
    die('File cannot be executed directly');
}

This way, the user is allowed to send mail once he opens your page, but cannot execute the mailer script directly.