Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Why won’t my "secure" form work?

  • This topic is empty.
Viewing 1 post (of 1 total)
  • Author
    Posts
  • #24904
    friendofpugs
    Member

    Hi all!

    First off, as you can probably tell I don’t know much about PHP. I’ve only dabbled in it a little recently, so please be nice to this noob. Basically, I took the recent CSS-Tricks article and tried to adapt it for my purposes, ‘cuz I’ve been getting some spam on my "contact me" form. Silly me, when you disable javascript, the form still submits. Anyway, I wanted to have something more secure that would strip out funny business, etc. I tried this and nothing works. However, I uploaded the CSS-Tricks example form to a separate directory on my webserver and it works just peachy.

    Code:
    >
    There was a hacking attempt on your form. n
    Date of Attack: {$date}
    IP-Adress: {$ip} n
    Host of Attacker: {$host}
    Point of Attack: {$where}
    << End of Message >>
    LOG;
    // Awkward but LOG must be flush left

    // open log file
    if($handle = fopen(‘hacklog.log’, ‘a’)) {

    fputs($handle, $logging); // write the Data to file
    fclose($handle); // close the file

    } else { // if first method is not working, for example because of wrong file permissions, email the data

    $to = ‘[email protected]’;
    $subject = ‘HACK ATTEMPT’;
    $header = ‘From: [email protected]’;
    if (mail($to, $subject, $logging, $header)) {
    echo “Sent notice to admin.”;
    }

    }
    }

    function verifyFormToken($form) {

    // check if a session is started and a token is transmitted, if not return an error
    if(!isset($_SESSION[$form.’_token’])) {
    return false;
    }

    // check if the form is sent with token in it
    if(!isset($_POST[‘token’])) {
    return false;
    }

    // compare the tokens against each other if they are still the same
    if ($_SESSION[$form.’_token’] !== $_POST[‘token’]) {
    return false;
    }

    return true;
    }

    function generateFormToken($form) {

    // generate a token from an unique value, took from microtime, you can also use salt-values, other crypting methods…
    $token = md5(uniqid(microtime(), true));

    // Write the generated token to the session variable to check it against the hidden field when the form is sent
    $_SESSION[$form.’_token’] = $token;

    return $token;
    }

    // VERIFY LEGITIMACY OF TOKEN
    if (verifyFormToken(‘form1’)) {

    // CHECK TO SEE IF THIS IS A MAIL POST
    if (isset($_POST[‘URL-main’])) {

    // Building a whitelist array with keys which will send through the form, no others would be accepted later on
    $whitelist = array(‘token’,’req-name’,’req-email’,’req-description’);

    // Building an array with the $_POST-superglobal
    foreach ($_POST as $key=>$item) {

    // Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
    if (!in_array($key, $whitelist)) {

    writeLog(‘Unknown form fields’);
    die(“Hack-Attempt detected. Please use only the fields in the form”);

    }
    }

    $message = ”;

    $message .= “Name: ” . strip_tags($_POST[‘req-name’]) . “n”; // In about every case, there have no script-tags within a name, so kick them out!
    $message .= “Email: ” . strip_tags($_POST[‘req-email’]) . “nn”; // same procedure here, another method (in php5) is the filter_var funciton to check if the input is a valid email adress

    $message .= “Project Description: ” . strip_tags($_POST[‘req-description’]) . “n”;

    $message .= “n”;

    $to = ‘[email protected]’;
    $subject = ‘Hooray! You got a bite off your website!’;
    $header = ‘From: [email protected]racinewebworks.com’;

    if (mail($to, $subject, $message, $header)) {
    echo ‘Your message has been sent.’;
    } else {
    echo ‘There was a problem sending your contact message’;
    }

    // DON’T BOTHER CONTINUING TO THE HTML…
    die();

    }
    } else {

    if (!isset($_SESSION[$form.’_token’])) {

    } else {
    echo ‘Hack-Attempt detected. Got ya!’;
    writeLog(‘Formtoken’);
    }

    }
    ?>




    Your name:

All I want is to securely submit three fields (strip out funny business), but no go. I like the token concept and I don’t mind the weak md5 ‘cuz I figure something is better than nothing. I don’t need the log feature, but I didn’t want to break it further. Why won’t it work? It’s probably something silly. Thanks for whatever help you can provide.

BTW, is there an IDE that would help me debug something like this? Aptana or Eclipse or Netbeans or something? Thnx.

Viewing 1 post (of 1 total)