I want to block direct access to PHP file, for example when someone enters it manually in the address bar (https://example.com/php/submit.php). I used this code:

<Files "submit.php">  
   Order Allow,Deny
   Deny from all
</Files>

But if I block it this way, the form can't be submitted (it doesn't send mails).

Is there another way to block direct access but to be able to submit form?

CodePudding user response：

<form id="form" action="php/submit.php" method="post">

Your form is making a POST request, whereas "when someone enters it manually in the address bar" they are making a GET request. So, you could block anything but POST requests..

Using <LimitExcept>

For example, surround your existing directives in a <LimitExcept> container:

<LimitExcept POST>
    <Files "submit.php">  
       Require all denied
    </Files>
</LimitExcept>

Note that this blocks non-POST requests to any submit.php file on your system.

NB: Order, Allow and Deny are Apache 2.2 directives and formerly deprecated on Apache 2.4 (which you are more likely to be using, unless you are on LiteSpeed). Require all denied is the Apache 2.4 equivalent. However, you should not mix authentication directives from both modules.

Using mod_rewrite

Alternatively, using mod_rewrite near the top of the root .htaccess file you can target the /php/submit.php URL-path directly. For example:

RewriteEngine On

RewriteCond %{REQUEST_METHOD} !=POST [NC]
RewriteRule ^php/submit\.php$ - [F]

The above will serve a 403 Forbidden for any request to /php/submit.php that is not a POST request (eg. when a user types the URL directly in the browser's address bar).

Alternatively, check that the request is a GET request. ie. =GET

HOWEVER, you should already be performing this check as part of your standard form validation in your PHP code, so this additional check in .htaccess should be redundant. (After all, how are you checking that the form has been (successfully) submitted?)