I have two php scripts both are to send mail out to user group, I am using a password protected admin selection to click to the php script, but I am constantly being scraped by bots
I have tried robots.txt, .htaccess and placing a password request in each of the two php scripts, I also tried cloudflare with under attack mode but this blocked the php scripts from running.
It appears to me that the scripts are being activated outside of my domain is there a way to protect these two scripts from unauthorised execution?
You need to provide the security related code you are using.
What is the code for this?
As previously wrote in a reply, you should be using post requests when causing an action on the server. Legitimate search engines won’t ever make a post request.
This only has any effect on legitimate search engines that actually read the file and make use of the information in it.
You would need to post what you tried.
You would need to post what you tried. I’m thinking at this point that you didn’t stop php code execution and the scripts continue to run anytime they receive a http request.
Based on your description, the email scripts must be web accessible, since you are triggering them from an admin web page? These scripts must test for any user login, user permissions that are needed to access them and stop php code execution if the login/permission test fails.
I am sorry I may be misleading you due to my lack of knowledge on the bot scraping
When the user wants to send a mailout they click a link from the admin menu and the php executes, my problem is not with this part as it all works fine it is some days afterwards an non executed email send appears (a phantom mailout) which I am presuming comes from a bot scraping. Here is a sample of the header of the phantom email.
X-PHP-Script: XXXX for 54.36.148.55
X-PHP-Filename: /home4/ricstrav/domains/xxxx.com/private_html/output/send_message_out.php REMOTE_ADDR: 54.36.148.55
My host said that 54.36.148.55 is a bot executing from outside of my domain, it is this I am trying to prevent, but my limited skill level in this area suggests that nothing I can do in my domain i.e. adding passwords would be effective if execution is triggered outside the domain.
would this be of any help using your post advice (from stack overflow)
You can simply put the following line on the redirection page (say page1.php).
header("Location: URL", TRUE, 307); // Replace URL with to be redirected URL, e.g. final.php
No redirect will have any affect. Most bot scripts don’t follow redirects.
The code in the two scripts must have logic to decide if they will execute the email sending logic. If the current user is not logged in or doesn’t have high enough access level to send emails, the code must not execute the email sending logic.
If you want help with securing the two email scripts, you will need to post the code you tried to secure those scripts.
This is the password I placed in the head of each script
<!doctype html>
<html>
<head>
<SCRIPT language="JavaScript">
<!--hide
var password;
var pass1="xxxx";
password=prompt('Please enter your password to view this page!','');
if (password==pass1)
alert('Password Correct! Click OK to enter!');
else
{
alert('Password Incorrect! Click OK to return to xxx');
history.go(0);
window.location="https://xxx.com/";
}
</script>
Bots don’t execute javascript. Using javascript, which runs in the browser, doesn’t provide any security.
I have posted multiple times now that the php code, which runs on the web server when the page gets requested, must do this, in order to stop the php email sending code from being executed.
Does your admin menu/page have an actual php user authentication/login system?
You say you have two scripts - I hope one is to enter your newsletter and the other to send mail and return to either your form or a confirmation page.
If not, you should do that.
Firstly, PW protect your form - I use :: Web Page Password Protect :: Free PHP Scripts
You may also want to protect the form from users outside your country or region (I can provide a script for this if you wish)
From this point, there are many ways to protect usage of the second send file.
PHP has powerful protection built in and here a solution using password_hash()
In your form start add session_start();
//Generate a password hash
$formpass = password_hash(“DoNotUseThis”, PASSWORD_DEFAULT);
$_SESSION[“pass”] = “$formpass”;
In the send script session_start();
$_SESSION[“pass”]
//Generate a password hash
$sendpass = password_hash(“DoNotUseThis”, PASSWORD_DEFAULT);
if ($_SESSION[“pass”] == $sendpass) {process mail}
else {warning page}
This ensures that sending mail can only from the form on your server.
Thanks for all your help I settled on this one below and so far I have not had any phantom emails so I am inculding this script in case it is useful for someone else.
<?php
//Set the password
$password = "****";
//Let the user access protected content on page if the password match with the password that you have provided
if (isset($_POST["password"]) && ($_POST["password"]=="$password")) { ?>
My stuff here
<?php }
//Display this content if the provided password is wrong
else{
//Show the wrong password notice
if($_SERVER['REQUEST_METHOD'] == 'POST') {
?>
<h2 style="color: red;">Sorry...! The password you have provided was Wrong!</h2>
<?php } ?>
<h2>Enter correct password to see the protected content on this page</h2>
<p align="center"><font color="red">
<form id ="myForm" method="post"><p align="center">
<input name="password" type="password" size="25" maxlength="10"><input value="Submit" type="submit"></p>
</form>
<?php
}
exit;
?>
