Prevent Direct Access To Php Script But Allow From Index.html

I have a simple contact form where users input their data and the form sends it to 'mail.php' to be passed onto the email account there. The 'mail.php' file is in my root directory

Solution 1:

Just add some validation to your PHP script. For example:

<?phpif(isset($_POST['name'], $_POST['email'], $_POST['message'])) {
    $name = $_POST['name'];
    $email = $_POST['email'];
    $message = $_POST['message'];
    $formcontent=" From: $name \n Message: $message";
    $recipient = "me@email.com";
    $subject = "Contact Form";
    $mailheader = "From: $email \r\n";
    mail($recipient, $subject, $formcontent, $mailheader) ordie("Error!");
    header("Location: success");
    exit;
}
?>

This will prevent any blank submissions, without requiring you to filter by the referring page. As a general rule, you should always validate user input, anyway, because it is a source of all sorts of trouble (hacking, errors, generally unexpectedly behavior).

Solution 2:

You cannot block the browsers from accessing the page - when a browser submits a form, it navigates to the .php file just as if the user entered its URL directly, with the only difference being that there is POST data submitted as well.

If you want to prevents spam, you need to make sure your input is correct. Make sure the required fields are set. (Yes, Ed Cottrell was faster, see his answer)

Solution 3:

What you need to do is validate your inputs and if they aren't correct, don't send the form.

if (empty($_POST['name'])) {
    $errors[] = "You need to enter your name";
}
if (empty($_POST['email'])) {
    $errors[] = "You need to enter your email";
}
if (empty($_POST['message'])) {
    $errors[] = "You need to enter a message";
}

if (isset($errors)) {
    echo"There were errors sending your email:";
    echo"<ul>";
    foreach ($errorsas$error) {
        echo"<li>$error</li>";
    }
    echo"</ul>";
}
else {
    // send message
}