Website Directory Structure - PHP and IIS 7.5

Hi All -

I have a dedicated server running Win2008 R2, with IIS 7.5.  I have a number of websites, one of which needs to be able to access a php script for a feedback form that is submitted by an html page.

I want to hide the php script so it is not hit by bots, but it still needs to be executed by a public html page.

Is this possible?  If so, how should I set up my directory structure and what perms do I need?


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Just use


Keep in mind though, that the web bots will still be able to hit the calling public HTML page, so be sure to put a captcha or some other simple test to make sure the submittor is a human.
ee_reachAuthor Commented:
Thanks, but then here are two questions:
1. How do I hide that path from the human viewers of the site when they wave their mouse over the "submit" button?

2. How do I set the windows perms?  (When I tried something similar, I get an error message about the file not being available or similar.)

Thanks again for the help
The submit button doesn't ever divulge anything about the path, but I guess I see what you're driving at - you want to actually post to a page not visible to bots.

My thought was that you have something like form.php that just basically puts a form up on the screen - bots can hit it at will but not really get anything of use.  However, if the right information goes to form.php via POST variables, then it instead includes your private file (as I've described above) and processes the submission.

Are you thinking of something different?  There should be no special perms needed on the file that you include.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

ee_reachAuthor Commented:
xterm - Thanks.  I have to go out for about a couple of hours.  When I get back, I'll set up a couple of links so you can see what I see.  That will probably make it clearer.  Thanks and I'll be in touch in a bit.
If you have a html page that is posting to a php script you can't really hide that there will always be a way to see it.

Like the others have said you can have instead of a html page have a php page that outputs the form and posts to itself then based on certain checks can then include a script or execute some code to do what it needs to do when the right conditions are met.

The best thing you can do is secure your scripts as best you can to reduce the amount of unauthorised access.

You can use a captcha to stop spam and maybe write a few checks to make sure the referrer was from your domain etc.

Essential php security is a great book and explains various techniques for making your scripts more secure its definitely worth a read, it might not be exactly what you want for this but i'm sure it will help in future situations 
ee_reachAuthor Commented:
Thanks, invsman249, I see what you are saying.  

I'll be back with both of you guys after I give your descriptions a shot.

Btw, thanks for the pointer to the book, I have just ordered it as everyone seems to think that is the best book even though it was published almost 7 yrs ago - a life time ago in the Internet world.  I have been very worried about having php running on my machine ever since I was hacked on another website on a different server last year and their avenue in was via php that was installed but not properly secured.  

Thanks guys, and I'll get back to you after I give this a try.
ee_reachAuthor Commented:
Still looking at this.  Will reply after the holidays.  Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.