[RESOLVED] Form Action Outside Root

mzovadia

Hello,

I want to put my form processing script outside the document root, but when I submit the form, I get a 404 error. I can successfull pull an include file outside the root with

<?php require_once('/hsphere/local/home/account/test/root.inc'); ?>

, so I know the path is correct. My form action looks like this:

<form action="/hsphere/local/home/account/scripts/formmail_proc.php" method="post" id="contact">

. Am I doing something wrong, or is it not possible to run scripts outside the root without the server being configured to do so? I'm on a shared plan.

Thanks!
mzovadia

rkolbe

mzovadia wrote:
Hello,

I want to put my form processing script outside the document root, but when I submit the form, I get a 404 error. I can successfull pull an include file outside the root with
<?php require_once('/hsphere/local/home/account/test/root.inc'); ?>
, so I know the path is correct. My form action looks like this:
<form action="/hsphere/local/home/account/scripts/formmail_proc.php" method="post" id="contact">
. Am I doing something wrong, or is it not possible to run scripts outside the root without the server being configured to do so? I'm on a shared plan.

Thanks!
mzovadia

Yes that is wrong...what happens with "action="/hsphere/local/home/account/scripts/formmail_proc.php" is that it is really "action="http://yourwebsite.com/hsphere/local/home/account/scripts/formmail_proc.php"

mzovadia

OK, so what do I need to do in order to get the form processed outside the root? I've read that it's wise to place such processes outside the root for security measures, but I'm having a hard time finding any info on exactly how to do this. I'd love to know how others handle this.

Thanks much,
mzovadia

rkolbe

mzovadia wrote:
OK, so what do I need to do in order to get the form processed outside the root? I've read that it's wise to place such processes outside the root for security measures, but I'm having a hard time finding any info on exactly how to do this. I'd love to know how others handle this.

Thanks much,
mzovadia

Well...I suppose it all depends on how this thing is written...If it's just procedural code, I don't see an easy way, or anyway offhand getting it to work.

However, if there are certain calls or functions from that script, you could just do an include_once() on your web page and call the functions as needed (or classes, if you are going that route).

However, if it were my server, the proper use of .htaccess files or <directory> setups in the apache config file would solve your issue without having to move your script(s).

mzovadia

Thanks, rkolbe. This is a form to mail script and I've read how malicious types can send a bunch of spam through the form if proper precautions aren't taken. I'll try the .htaccess route.

Thanks again!

bradgrafelman

mzovadia wrote:
I've read that it's wise to place such processes outside the root for security measures

Well, disregard what've you read then. Maybe I can see this being true if you had a config file that had DB passwords and such, but even then I wouldn't worry about it, since I would simply define() the passwords and wouldn't care if someone went to http://mysite.com/config.php since they wouldn't see anything but a blank screen (or perhaps a nasty message I might leave them 😉).

mzovadia wrote:
This is a form to mail script and I've read how malicious types can send a bunch of spam through the form if proper precautions aren't taken.

Quite true; if you have a form that does any sort of mailing, you need to be extra careful about how you use the submitted data. For example, you should never use any user-supplied variable (including ones in the query string - they can alter those just as easy as submitting a form) in the header section of an e-mail... if you do, you need to make sure you've sanitized the data and prevented them from injecting their own headers and mail message.

In fact, if I use a form that automatically sends e-mails from a user-given address, I'd probably include a CAPTCHA or even a simple "What is two times 5 ?" required question to verify that it's a person submitting the form and not a spam bot.

welduae

mzovadia wrote:
Hello,

I want to put my form processing script outside the document root, but when I submit the form, I get a 404 error. I can successfull pull an include file outside the root with
<?php require_once('/hsphere/local/home/account/test/root.inc'); ?>
, so I know the path is correct. My form action looks like this:
<form action="/hsphere/local/home/account/scripts/formmail_proc.php" method="post" id="contact">
. Am I doing something wrong, or is it not possible to run scripts outside the root without the server being configured to do so? I'm on a shared plan.

Thanks!
mzovadia

Hi,

You can do so by using action="<?php echo $_SERVER['PHP_SELF'];?>" in the form tag. This will reload the same page. You will also need to add something like the following before the form:
<?PHP
include '../../scripts/process_form.php';

the process_form.php will include your form process script and it should be something like

<?php
if(isset($_POST['add']))
{
// do some process
}
?>

I hope you find this usefull