PHP processing pages for forms not following line with rest of files

Question

I'm a web developer hobbyist. I'm over 50, never had a true web dev job but like to tinker in my spare time for fun. That said, I have a web site hosted by Bluehost that I wrote with PHP from scratch. I actually enjoy the functionality better than creating UI. I use no CMS or framework.

My specific problem is this: I try to follow the norms so I have an .htaccess file in my root or public_html folder. In this I have just one line FallbackResource index.php

I try to handle all my "site pages" though the index.php file like this >

// check url in users browser and bring here
    $path = ltrim($_SERVER['REQUEST_URI'], '/'); // Trim leading slash(es)

    if($path === "" || $path === "login" || $path === "home"){
        if(isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true){
            require_once '../my_stuff/dashboard.php';            
        }else{  
            require_once '../my_stuff/login.php';
        }
    }elseif($path === "register"){
        if(isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true){
            require_once '../my_stuff/dashboard.php';            
        }else{  
            require_once '../my_stuff/register.php';
        }
    }elseif($path === "dashboard"){
        if(isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true){
            require_once '../my_stuff/dashboard.php';            
        }else{  
            require_once '../my_stuff/login.php';
        }
    }elseif($path === "logout"){
        require_once '../my_stuff/logout.php';
    }elseif($path === "verify"){
        require_once '../my_stuff/verify.php';
    }elseif($path === "proc_reg.php"){
        require_once 'proc_reg.php';
    }else{
        header('HTTP/1.1 404 Not Found');
        echo 'page not found';
    }

The only files in the html root are index.php .htaccess and my favicon.ico. All other files are load from a folder outside and above the html root. This works fine. And when I have links in my html they just look like this "/about" or "/home", those work as well, redirecting back to index.php. However, all my forms processing pages are not being accessed properly. I don't really like sending a form back to itself, I like it to be handled separately. I like to keep separation of concerns. For my includes on my index.php file I use ../my_stuff/whatever_page to get my other files, going back out of the html root and into the my_stuff folder. But this doesn't work when I include these URLs in the "action" attribute of the forms. At least not on the host server. When I dev locally, it works fine. So, I had to move the form processing files out of my_stuff above the html root and place them in another folder in the html root. I consider this messy and potentially dangerous. I did add this line to my .htaccess file > Options -Indexes to help a bit. But, if someone knows the exact name of the file they can get to it; like mysite/procs/this_form.php. I do have these couple of lines at the top of those scripts though.

if($_SERVER["REQUEST_METHOD"] !== "POST") {
    header('Location: ../');
    exit;  
}

Is there a way I can get my processing pages back above the html root or is this just the norm?

Answer 1

For my includes on my index.php file I use ../my_stuff/whatever_page to get my other files, going back out of the html root and into the my_stuff folder. But this doesn't work when I include these URLs in the "action" attribute of the forms.

Those are not "URLs", they are filesystem paths. The value of the action attribute should be a public-facing URL, just like /about or /home (to relate to your example).

You can then use your "router" (the if-elseif block in index.php) to route the requested URL, just as you are doing for all your other URLs.

For example following your example...

In your HTML:

<form action="/form-submission" method="POST">
:

In index.php:

elseif($path === "form-submission" && $_SERVER["REQUEST_METHOD"] == "POST"){
    require_once '../my_stuff/whatever';

But, if someone knows the exact name of the file they can get to it; like mysite/procs/this_form.php

Anyone can submit a POST request for your form-submission page, just as anyone can make a GET request to your /about or /home pages. You would need to implement sufficient validation and security measures for this not to be a problem.

I really don't have the need to send back because I use Ajax for live response.

I'm not quite sure what you mean by this. AJAX is just an asynchronous request. So, whether the request is submitted synchronously from the HTML or asynchronously from JavaScript, you are still making a POST request to /form-submission.