- This topic is empty.
-
AuthorPosts
-
August 27, 2009 at 6:43 pm #25906KapitolMember
Greetings Everyone,
After viewing Chris’s tutorial on 62-advanced-form-styling-functionality I decided to chose it and used it in a clients site. I changed the form slightly with different options. Changed some of the code in the header to reflect these changes. I developed this site locally using Xampp so I couldn’t test the forms. Now they are on a live site and the forms don’t actually work. I don’t know why. Would someone be willing to look over this code to see if something is off for me?
Code:
>
There was a hacking attempt on your form. n
Date of Attack: {$date}
IP-Adress: {$ip} n
Host of Attacker: {$host}
Point of Attack: {$where}
<< End of Message >>
LOG;
// Awkward but LOG must be flush left// open log file
if($handle = fopen(‘hacklog.log’, ‘a’)) {fputs($handle, $logging); // write the Data to file
fclose($handle); // close the file} else { // if first method is not working, for example because of wrong file permissions, email the data
$to = ‘[email protected]’;
$subject = ‘HACK ATTEMPT’;
$header = ‘From: [email protected]’;
if (mail($to, $subject, $logging, $header)) {
echo “Sent notice to admin.”;
}}
}function verifyFormToken($form) {
// check if a session is started and a token is transmitted, if not return an error
if(!isset($_SESSION[$form.’_token’])) {
return false;
}// check if the form is sent with token in it
if(!isset($_POST[‘token’])) {
return false;
}// compare the tokens against each other if they are still the same
if ($_SESSION[$form.’_token’] !== $_POST[‘token’]) {
return false;
}return true;
}function generateFormToken($form) {
// generate a token from an unique value, took from microtime, you can also use salt-values, other crypting methods…
$token = md5(uniqid(microtime(), true));// Write the generated token to the session variable to check it against the hidden field when the form is sent
$_SESSION[$form.’_token’] = $token;return $token;
}// VERIFY LEGITIMACY OF TOKEN
if (verifyFormToken(‘form1’)) {// CHECK TO SEE IF THIS IS A MAIL POST
if (isset($_POST[‘req-phone’])) {// Building a whitelist array with keys which will send through the form, no others would be accepted later on
$whitelist = array(‘token’,’req-name’,’req-email’,’req-phone’,’req-position’, ‘curText’, ‘save-stuff’);// Building an array with the $_POST-superglobal
foreach ($_POST as $key=>$item) {// Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
if (!in_array($key, $whitelist)) {writeLog(‘Unknown form fields’);
die(“Hack-Attempt detected. Please use only the fields in the form”);}
}// Lets check the URL whether it’s a real URL or not. if not, stop the script
if(!filter_var($_POST[‘URL-main’],FILTER_VALIDATE_URL)) {
writeLog(‘URL Validation’);
die(‘Hack-Attempt detected. Please insert a valid URL’);
}// SAVE INFO AS COOKIE, if user wants name and email saved
$saveCheck = $_POST[‘save-stuff’];
if ($saveCheck == ‘on’) {
setcookie(“WRCF-Name”, $_POST[‘req-name’], time()+60*60*24*365);
setcookie(“WRCF-Phone”, $_POST[‘req-phone’], time()+60*60*24*365);
setcookie(“WRCF-Email”, $_POST[‘req-email’], time()+60*60*24*365);}
// PREPARE THE BODY OF THE MESSAGE
$message = ‘
‘;
$message .= ‘‘;
$message .= “Name: ” . strip_tags($_POST[‘req-name’]) . “ “;
$message .= “Email: ” . strip_tags($_POST[‘req-email’]) . “ “;
$message .= “Position: ” . strip_tags($_POST[‘req-position’]) . “ “;
$message .= “Phone: ” . strip_tags($_POST[‘req-phone’]) . “ “;
$addURLS = $_POST[‘addURLS’];
if (($addURLS) != ”) {
$message .= “URL To Change (additional): ” . strip_tags($addURLS) . “ “;
}
$curText = htmlentities($_POST[‘curText’]);
if (($curText) != ”) {
$message .= “CURRENT Content: ” . $curText . “ “;
}
$message .= “NEW Content: ” . htmlentities($_POST[‘newText’]) . “ “;
$message .= ““;
$message .= ““;// MAKE SURE THE “FROM” EMAIL ADDRESS DOESN’T HAVE ANY NASTY STUFF IN IT
$pattern = “/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,3})$/i”;
if (preg_match($pattern, trim(strip_tags($_POST[‘req-email’])))) {
$cleanedFrom = trim(strip_tags($_POST[‘req-email’]));
} else {
return “The email address you entered was invalid. Please try again!”;
}// CHANGE THE BELOW VARIABLES TO YOUR NEEDS
$to = ‘[email protected]’;
$subject = ‘Feedback’;
$headers = “From: ” . $cleanedFrom . “rn”;
$headers .= “Reply-To: “. strip_tags($_POST[‘req-email’]) . “rn”;
$headers .= “MIME-Version: 1.0rn”;
$headers .= “Content-Type: text/html; charset=ISO-8859-1rn”;if (mail($to, $subject, $message, $headers)) {
echo ‘Your message has been sent.’;
} else {
echo ‘There was a problem sending the email.’;
}// DON’T BOTHER CONTINUING TO THE HTML…
die();}
} else {if (!isset($_SESSION[$form.’_token’])) {
} else {
echo “Hack-Attempt detected. Got ya!.”;
writeLog(‘Formtoken’);
}}
if($_POST[‘submit’] && is_numeric($_POST[‘input’])) {
//process data…
//then die or redirect otherwise the form below will be shown again
}
?>
» Blog Archive
- “Dedicated to providing personalized and professional care to our community.”
NorthStar EMS values input received from our Customers and Team Members. While the following information about you is “Optional” NorthStar EMS would ask that you provide your contact information so that we can respond back to you. Thanks for taking the time to provide us Feedback!
” onkeyup=”javascript:this.value=this.value.replace(/[^0-9]/g, ”);” />
” />
August 28, 2009 at 2:45 am #62929KapitolMemberTo clarify this post. I have edited this form a few times over the past month. I don’t expect a hand out, just someone who knows php to check and see if I combined something in the php which is preventing it from functioning correctly.
-
AuthorPosts
- The forum ‘Back End’ is closed to new topics and replies.