Home/ Questions/Q 8024601
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T22:54:39+00:00

I have a script that fires off a email everytime someone comments on by

  • 0

I have a script that fires off a email everytime someone comments on by FaceBook comment box. Fb.event.subscribe triggers a ajax call to mail.php on my server, which fires off a email to my email address to notify of a new comment. How do i make this more secure and block access to mail.php directly? 

        FB.Event.subscribe('comment.create', function (response) {
            var domain = "<?= $_SERVER['SERVER_NAME']; ?>";
            var url = "<?= $currentUrl ?>";
                alert("comment added");

                            var xmlhttp;
                            if (window.XMLHttpRequest)
                              {// code for IE7+, Firefox, Chrome, Opera, Safari
                              xmlhttp=new XMLHttpRequest();
                              }
                            else
                              {// code for IE6, IE5
                              xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
                              }

                            xmlhttp.open("GET","http://" + domain + "/mail.php?url=" + url,true);
                            xmlhttp.send();

        });


** ---------- here is mail.php -------- **



<?php 
    $to = "MY EMAIL HERE";
    $subject = "New Comment Added";
    $message = "New Comment posted here: " . $_GET['url'] ;
    $from = "MY EMAIL HERE";
    $headers = "From:" . $from;
    //mail($to,$subject,$message,$headers);
    //echo  $_GET['accesstoken'] ;
?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You cannot do this. If you enable the client to access mail.php with client-side code, then anyone can access it with a script as well. You can try to obfuscate it as much as you want, but if someone really wants to find out how to access it they will.

    EDIT: The basic rule is, if it can be done in a browser by a human, then it can be done in a script by a computer. The only semi counter-point to this rule are CAPTCHAs, but even these can be circumvented nowadays.

    • 0