howdy partners,<br /><br />I'd like to put my php mail script in a private folder for obvious reasons so that the outside world (email scammers) can't access and abuse it.<br /><br />How can I get the info from a form into a php script in a private/password protected folder and have it send me the form info?<br /><br />thanks mucho<!--content-->
Can't be done as far as I know since to run the form processor it has to have world access to it.<br /><br />You might want to look at <a href="http://www.surefirewebdesign.com/scripts/" target="_blank">Ultimate Form Mail</a><!--content-->
Thanks a bundle Bruce<!--content-->
I run my contact scripts from outside public_html, so it can be done.<br /><br />In my case--<br /><br />I created a folder outside of public_html--let's call it secret_folder. Inside that folder, I have a file called process_form.php -- this is the script that handles checking and then sending all the form data to me.<br /><br />In public_html, I have my contact folder and it only has an index file. A stripped-down version of that file would look something like this:<br /><br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1--><?php<br />if ($_POST['submit'] == 'Send It On') {<br /><br />include '/home/mycpanelname/secret_folder/process_form.php';<br />Â Â Â Â <br />} else {<br /><br />Â Â Â Â $showThis = '<br />Â Â Â Â Â Â Â Â <p>I love comments! Send some to me!</p><br /><br />Â Â Â Â Â Â <form method="post" action="/contact/index.php"><br />Â Â Â Â Â Â Name: <input name="name" /><br /><br />Â Â Â Â Â Â Email: <input name="email" /><br /><br />Â Â Â Â Â Â Comments: <br /><br />Â Â Â Â Â Â <textarea name="comments" rows="10" cols="50"></textarea><br />Â Â Â Â Â Â <input type="submit" name="submit" value="Send It On" /><br />Â Â Â Â Â Â </form>';<br /><br />}<br />?><br /><br /><html><br /><head><br /><title>My Contact Form</title><br /></head><br /><body><br /><h1>Contact Form</h1><br /><br /><php echo $show_this; ?><br /><br /></body><br /></html><!--c2--></div><!--ec2--><br /><br />Basically, the idea is that the script first checks to see if the submit button was pressed--did the visitor just send data in? If so, the script will include process_form.php from my secret folder. process_form.php checks all the form data, verifies a couple things, and then emails the comments to me. It also builds a variable called $show_this that contains a thank you message and, I think, a copy of the message the visitor sent to me (been a while since I tested that...). <br /><br />But if the submit button hasn't been pressed, the script will instead create $show_this with a message inviting people to send me comments and providing a form to do so. <br /><br />And then in the HTML portion of the page, all I really have to do is echo out the $show_me variable -- it'll either be a thank you note for sending me comments, or a form and invitation to do so. <br /><br />The server doesn't care where you include files from when it goes to process them, so it's ok to throw the meat and bones of the script outside public_html. If you're using a premade script, though, you'd want to be really careful about moving parts of the script around so you don't break it. It's definitely possible to do, though.<br /><br />In all honesty, though, the location of the script is the least important thing in securing it from abuse. A badly-written script can be abused no matter where it is on the server. I would worry more about making sure the processing part of the form does thorough checks on all the user-submitted data, and make sure there aren't any holes in the script someone could manipulate, before I'd worry about where that processing script was actually located. A well-written script in public_html is 100% safer than a badly-written script in a private folder.<!--content-->
<!--quoteo--><div class='quotetop'>QUOTE</div><div class='quotemain'><!--quotec-->In all honesty, though, the location of the script is the least important thing in securing it from abuse. A badly-written script can be abused no matter where it is on the server. I would worry more about making sure the processing part of the form does thorough checks on all the user-submitted data, and make sure there aren't any holes in the script someone could manipulate, before I'd worry about where that processing script was actually located. A well-written script in public_html is 100% safer than a badly-written script in a private folder.<!--QuoteEnd--></div><!--QuoteEEnd--><br />Correct! And it was the processing part of the form I was referring too. Also the reason I suggested UFM.<!--content-->
Can't be done as far as I know since to run the form processor it has to have world access to it.<br /><br />You might want to look at <a href="http://www.surefirewebdesign.com/scripts/" target="_blank">Ultimate Form Mail</a><!--content-->
Thanks a bundle Bruce<!--content-->
I run my contact scripts from outside public_html, so it can be done.<br /><br />In my case--<br /><br />I created a folder outside of public_html--let's call it secret_folder. Inside that folder, I have a file called process_form.php -- this is the script that handles checking and then sending all the form data to me.<br /><br />In public_html, I have my contact folder and it only has an index file. A stripped-down version of that file would look something like this:<br /><br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1--><?php<br />if ($_POST['submit'] == 'Send It On') {<br /><br />include '/home/mycpanelname/secret_folder/process_form.php';<br />Â Â Â Â <br />} else {<br /><br />Â Â Â Â $showThis = '<br />Â Â Â Â Â Â Â Â <p>I love comments! Send some to me!</p><br /><br />Â Â Â Â Â Â <form method="post" action="/contact/index.php"><br />Â Â Â Â Â Â Name: <input name="name" /><br /><br />Â Â Â Â Â Â Email: <input name="email" /><br /><br />Â Â Â Â Â Â Comments: <br /><br />Â Â Â Â Â Â <textarea name="comments" rows="10" cols="50"></textarea><br />Â Â Â Â Â Â <input type="submit" name="submit" value="Send It On" /><br />Â Â Â Â Â Â </form>';<br /><br />}<br />?><br /><br /><html><br /><head><br /><title>My Contact Form</title><br /></head><br /><body><br /><h1>Contact Form</h1><br /><br /><php echo $show_this; ?><br /><br /></body><br /></html><!--c2--></div><!--ec2--><br /><br />Basically, the idea is that the script first checks to see if the submit button was pressed--did the visitor just send data in? If so, the script will include process_form.php from my secret folder. process_form.php checks all the form data, verifies a couple things, and then emails the comments to me. It also builds a variable called $show_this that contains a thank you message and, I think, a copy of the message the visitor sent to me (been a while since I tested that...). <br /><br />But if the submit button hasn't been pressed, the script will instead create $show_this with a message inviting people to send me comments and providing a form to do so. <br /><br />And then in the HTML portion of the page, all I really have to do is echo out the $show_me variable -- it'll either be a thank you note for sending me comments, or a form and invitation to do so. <br /><br />The server doesn't care where you include files from when it goes to process them, so it's ok to throw the meat and bones of the script outside public_html. If you're using a premade script, though, you'd want to be really careful about moving parts of the script around so you don't break it. It's definitely possible to do, though.<br /><br />In all honesty, though, the location of the script is the least important thing in securing it from abuse. A badly-written script can be abused no matter where it is on the server. I would worry more about making sure the processing part of the form does thorough checks on all the user-submitted data, and make sure there aren't any holes in the script someone could manipulate, before I'd worry about where that processing script was actually located. A well-written script in public_html is 100% safer than a badly-written script in a private folder.<!--content-->
<!--quoteo--><div class='quotetop'>QUOTE</div><div class='quotemain'><!--quotec-->In all honesty, though, the location of the script is the least important thing in securing it from abuse. A badly-written script can be abused no matter where it is on the server. I would worry more about making sure the processing part of the form does thorough checks on all the user-submitted data, and make sure there aren't any holes in the script someone could manipulate, before I'd worry about where that processing script was actually located. A well-written script in public_html is 100% safer than a badly-written script in a private folder.<!--QuoteEnd--></div><!--QuoteEEnd--><br />Correct! And it was the processing part of the form I was referring too. Also the reason I suggested UFM.<!--content-->