- This topic is empty.
-
AuthorPosts
-
December 8, 2011 at 11:04 pm #35553phendyrMember
Hey all,
I appreciate anyone’s ability to help point me in the right direction. I’ve tried modifying the form created at the tutorial for sending html emails with php, and have hit a bit of a hiccup.Upon submission of the form, I’m getting the ‘Hack-Attempt detected’ error message. I’ve combed through my field names and don’t see anything missing or mis-spelled. If someone would be able to point me in the right direction as to what is wrong in my code, I would really appreciate it.
December 9, 2011 at 7:28 am #92324phendyrMember
session_start();
function getRealIp() {
if (!empty($_SERVER)) { //check ip from share internet
$ip=$_SERVER;
} elseif (!empty($_SERVER)) { //to check ip is pass from proxy
$ip=$_SERVER;
} else {
$ip=$_SERVER;
}
return $ip;
}
function writeLog($where) {
$ip = getRealIp(); // Get the IP from superglobal
$host = gethostbyaddr($ip); // Try to locate the host of the attack
$date = date("d M Y");
// create a logging message with php heredoc syntax
$logging = <<n
<< Start of Message >>
There was a hacking attempt on your form. n
Date of Attack: {$date}
IP-Adress: {$ip} n
Host of Attacker: {$host}
Point of Attack: {$where}
<< End of Message >>
LOG;
// Awkward but LOG must be flush left
// open log file
if($handle = fopen('hacklog.log', 'a')) {
fputs($handle, $logging); // write the Data to file
fclose($handle); // close the file
} else { // if first method is not working, for example because of wrong file permissions, email the data
$to = '[email protected]';
$subject = 'HACK ATTEMPT';
$header = 'From: [email protected]';
if (mail($to, $subject, $logging, $header)) {
echo "Sent notice to admin.";
}
}
}
function verifyFormToken($form) {
// check if a session is started and a token is transmitted, if not return an error
if(!isset($_SESSION[$form.'_token'])) {
return false;
}
// check if the form is sent with token in it
if(!isset($_POST)) {
return false;
}
// compare the tokens against each other if they are still the same
if ($_SESSION[$form.'_token'] !== $_POST) {
return false;
}
return true;
}
function generateFormToken($form) {
// generate a token from an unique value, took from microtime, you can also use salt-values, other crypting methods...
$token = md5(uniqid(microtime(), true));
// Write the generated token to the session variable to check it against the hidden field when the form is sent
$_SESSION[$form.'_token'] = $token;
return $token;
}
// VERIFY LEGITIMACY OF TOKEN
if (verifyFormToken('form1')) {
// CHECK TO SEE IF THIS IS A MAIL POST
if (isset($_POST)) {
// Building a whitelist array with keys which will send through the form, no others would be accepted later on
$whitelist = array('token','req-name','req-company','req-email','phone','domino','hitachi','vldeo','markemimaje','diagraph','otherequipment','thermal','hotstamps','labels','inkjet','othercoding','upgrade','othervalues','codequality','price','integration','postsales','interest');
// Building an array with the $_POST-superglobal
foreach ($_POST as $key=>$item) {
// Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
if (!in_array($key, $whitelist)) {
writeLog('Unknown form fields');
die("Hack-Attempt detected. Please use only the fields in the form");
}
}
// PREPARE THE BODY OF THE MESSAGE
$message = '';
$message .= 'dominovseries.com Contest Submission
';
$message .= '';
";
$message .= " ";Contact Information
$message .= " ";Name: " . strip_tags($_POST) . "
$message .= " ";Company: " . strip_tags($_POST) . "
$message .= " ";Email: " . strip_tags($_POST) . "
$message .= " ";Phone: " . strip_tags($_POST) . "
$message .= " ";Survey Feedback
$message .= " ";Equipment Supplier: " . strip_tags($_POST) . "
$message .= " ";" . strip_tags($_POST) . "
$message .= " ";" . strip_tags($_POST) . "
$message .= " ";" . strip_tags($_POST) . "
$message .= " ";" . strip_tags($_POST) . "
$message .= " ";Other Equipment Suppliers: " . strip_tags($_POST) . "
$message .= " ";Coding Method: " . strip_tags($_POST) . "
$message .= " ";" . strip_tags($_POST) . "
$message .= " ";" . strip_tags($_POST) . "
$message .= " ";" . strip_tags($_POST) . "
$message .= " ";Other Coding Methods: " . strip_tags($_POST) . "
$message .= " ";Plans to Upgrade: " . strip_tags($_POST) . "
$message .= " ";Values in a Supplier: " . strip_tags($_POST) . "
$message .= " ";" . strip_tags($_POST) . "
$message .= " ";" . strip_tags($_POST) . "
$message .= " ";" . strip_tags($_POST) . "
$message .= " ";Other Values in a Supplier: " . strip_tags($_POST) . "
$message .= " ";Interested in Contact: " . strip_tags($_POST) . "
$message .= "
$message .= "";
// CHANGE THE BELOW VARIABLES TO YOUR NEEDS
$to = '[email protected]';
$subject = 'Contest Form Submission';
$headers = "From: " . $cleanedFrom . "rn";
$headers .= "Reply-To: ". strip_tags($_POST) . "rn";
$headers .= "MIME-Version: 1.0rn";
$headers .= "Content-Type: text/html; charset=ISO-8859-1rn";
if (mail($to, $subject, $message, $headers)) {
echo 'Your message has been sent.';
} else {
echo 'There was a problem sending the email.';
}
// DON'T BOTHER CONTINUING TO THE HTML...
die();
}
} else {
if (!isset($_SESSION[$form.'_token'])) {
} else {
echo "Hack-Attempt detected. Got ya!.";
writeLog('Formtoken');
}
}
?>
December 9, 2011 at 8:23 am #92326phendyrMemberhonestly not sure, I’m admittedly pretty novice when it comes to php, so when I created this page, I removed all the fields from the tutorial I didn’t need, then added mine one by one…. testing making sure it worked, which it did… then I added the checkboxes and select inputs, and it broke, so I thought it would be in the ids used. guess I’ll go back and continue adding one at a time until I see the issue pop up.
December 9, 2011 at 11:27 am #92342phendyrMemberI was able to get my form working successfully. I basically started from scratch and went one by one, testing. slow but it won the day :) Now the only issue I see is that upon successful submission, the confirmation statement is hidden by my page’s background image?
December 9, 2011 at 12:04 pm #92348phendyrMemberI’ll give that a shot, even better, how would I make redirect to a confirmation page? I tried changing the echo to location: below – it still submits the form, just doesn’t do anything.
// CHANGE THE BELOW VARIABLES TO YOUR NEEDS
$to = '[email protected]';
$subject = 'Test form submission from form';
$headers = "From: " . $cleanedFrom . "rn";
$headers .= "Reply-To: ". strip_tags($_POST) . "rn";
$headers .= "MIME-Version: 1.0rn";
$headers .= "Content-Type: text/html; charset=ISO-8859-1rn";
if (mail($to, $subject, $message, $headers)) {
header("Location: thank-you.html");
} else {
echo 'There was a problem sending the email.';
}
// DON'T BOTHER CONTINUING TO THE HTML...
die();
December 9, 2011 at 12:29 pm #92349standuncanMemberI think you can use something like this:
if (mail($to, $subject, $message, $headers)) {
echo '';
} else {
echo 'There was a problem sending the email.
';
}
December 9, 2011 at 1:47 pm #92322phendyrMemberThanks TT_Mark & Standuncan for your help. the rewrite for redirecting to a confirmation page didn’t seem to work with the script in the echo. neither did applying a z-index to the basic confirmation statement.
appreciate the effort though. Great site and forum!
December 9, 2011 at 3:07 pm #92358standuncanMemberIt’s worked for me in the past so… but my mail function is a little different than yours. I’m not real fluent with php so sorry I can’t help more.
December 9, 2011 at 3:15 pm #92360phendyrMemberwell I’ve been trying just about every variation of header or echo to make it redirect and nothing has been successful. if anyone has any ideas, I’m all ears :/
Thanks
December 9, 2011 at 3:18 pm #92361phendyrMemberI certainly don’t doubt your code standuncan :) unfortunately I’m pretty much a novice at editing PHP…. if there was a way to modify the mail function, w/o requiring rewriting the whole thing I’d be open to it, but I just don’t know, lol.
Thanks again.
-
AuthorPosts
- The forum ‘Back End’ is closed to new topics and replies.