I am using WAMP and hosting the PHP files locally.
Assume i have these two files.
customer.php– A form to add customer details
recordCustomer.php– Connects to the database and store the information in the database(where all the processing is done)
How do I stop a user from accessing the file recordCustomer.php by typing the file name in the address bar.
http://localhost/testing/recordCustomer.php has to be redirected and given an error message
However
http://localhost/testing/customer.php is allowed
Thank you
The problem is not the access to
recordCustomer.phpbut the fact that you execute the code if the access is direct.Preventing the access by htaccess for example, will make your form unsubmitable.
You should use an random token in your
customer.phpform. The token is saved into session and inserted into the form with a hidden input.On
recordCustomer.phpyou just have to check if the token is given and if it match the one in session.If it match => this is a legit call to
recordCustomer.phpelse => try to bypass your form , reject the request.
That’s a school case of CSRF attack 😉
Have a look here for example