Grow your CSS skills. Land your dream job.

Why won’t my "secure" form work?

  • # May 20, 2009 at 10:50 pm

    Hi all!

    First off, as you can probably tell I don’t know much about PHP. I’ve only dabbled in it a little recently, so please be nice to this noob. Basically, I took the recent CSS-Tricks article and tried to adapt it for my purposes, ‘cuz I’ve been getting some spam on my "contact me" form. Silly me, when you disable javascript, the form still submits. Anyway, I wanted to have something more secure that would strip out funny business, etc. I tried this and nothing works. However, I uploaded the CSS-Tricks example form to a separate directory on my webserver and it works just peachy.

    Code:
    < ?php

    //Secure the email form
    session_start();

    function writeLog($where) {

    $ip = $_SERVER["REMOTE_ADDR"]; // Get the IP from superglobal
    $host = gethostbyaddr($ip); // Try to locate the host of the attack
    $date = date("d M Y");

    // create a logging message with php heredoc syntax
    $logging = << n
    << Start of Message >>
    There was a hacking attempt on your form. n
    Date of Attack: {$date}
    IP-Adress: {$ip} n
    Host of Attacker: {$host}
    Point of Attack: {$where}
    < < End of Message >>
    LOG;
    // Awkward but LOG must be flush left

    // open log file
    if($handle = fopen(‘hacklog.log’, ‘a’)) {

    fputs($handle, $logging); // write the Data to file
    fclose($handle); // close the file

    } else { // if first method is not working, for example because of wrong file permissions, email the data

    $to = ‘jesse.racine@gmail.com';
    $subject = ‘HACK ATTEMPT';
    $header = ‘From: jesse@racinewebworks.com‘;
    if (mail($to, $subject, $logging, $header)) {
    echo “Sent notice to admin.”;
    }

    }
    }

    function verifyFormToken($form) {

    // check if a session is started and a token is transmitted, if not return an error
    if(!isset($_SESSION[$form.'_token'])) {
    return false;
    }

    // check if the form is sent with token in it
    if(!isset($_POST['token'])) {
    return false;
    }

    // compare the tokens against each other if they are still the same
    if ($_SESSION[$form.'_token'] !== $_POST['token']) {
    return false;
    }

    return true;
    }

    function generateFormToken($form) {

    // generate a token from an unique value, took from microtime, you can also use salt-values, other crypting methods…
    $token = md5(uniqid(microtime(), true));

    // Write the generated token to the session variable to check it against the hidden field when the form is sent
    $_SESSION[$form.'_token'] = $token;

    return $token;
    }

    // VERIFY LEGITIMACY OF TOKEN
    if (verifyFormToken(‘form1′)) {

    // CHECK TO SEE IF THIS IS A MAIL POST
    if (isset($_POST['URL-main'])) {

    // Building a whitelist array with keys which will send through the form, no others would be accepted later on
    $whitelist = array(‘token’,’req-name’,’req-email’,’req-description’);

    // Building an array with the $_POST-superglobal
    foreach ($_POST as $key=>$item) {

    // Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
    if (!in_array($key, $whitelist)) {

    writeLog(‘Unknown form fields’);
    die(“Hack-Attempt detected. Please use only the fields in the form”);

    }
    }

    $message = ”;

    $message .= “Name: ” . strip_tags($_POST['req-name']) . “n”; // In about every case, there have no script-tags within a name, so kick them out!
    $message .= “Email: ” . strip_tags($_POST['req-email']) . “nn”; // same procedure here, another method (in php5) is the filter_var funciton to check if the input is a valid email adress

    $message .= “Project Description: ” . strip_tags($_POST['req-description']) . “n”;

    $message .= “n”;

    $to = ‘jesse.racine@gmail.com';
    $subject = ‘Hooray! You got a bite off your website!';
    $header = ‘From: jesse@racinewebworks.com‘;

    if (mail($to, $subject, $message, $header)) {
    echo ‘Your message has been sent.';
    } else {
    echo ‘There was a problem sending your contact message';
    }

    // DON’T BOTHER CONTINUING TO THE HTML…
    die();

    }
    } else {

    if (!isset($_SESSION[$form.'_token'])) {

    } else {
    echo ‘Hack-Attempt detected. Got ya!';
    writeLog(‘Formtoken’);
    }

    }
    ?>

    < !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


    < ?php
    // generate a new token for the $_SESSION superglobal and put them in a hidden field
    $newToken = generateFormToken('form1');
    ?>

    Your name:

All I want is to securely submit three fields (strip out funny business), but no go. I like the token concept and I don’t mind the weak md5 ‘cuz I figure something is better than nothing. I don’t need the log feature, but I didn’t want to break it further. Why won’t it work? It’s probably something silly. Thanks for whatever help you can provide.

BTW, is there an IDE that would help me debug something like this? Aptana or Eclipse or Netbeans or something? Thnx.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

*May or may not contain any actual "CSS" or "Tricks".