Why won’t my "secure" form work?

[friendofpugs]

Hi all!

First off, as you can probably tell I don’t know much about PHP. I’ve only dabbled in it a little recently, so please be nice to this noob. Basically, I took the recent CSS-Tricks article and tried to adapt it for my purposes, ‘cuz I’ve been getting some spam on my "contact me" form. Silly me, when you disable javascript, the form still submits. Anyway, I wanted to have something more secure that would strip out funny business, etc. I tried this and nothing works. However, I uploaded the CSS-Tricks example form to a separate directory on my webserver and it works just peachy.

Code:

>
There was a hacking attempt on your form. n
Date of Attack: {$date}
IP-Adress: {$ip} n
Host of Attacker: {$host}
Point of Attack: {$where}
<< End of Message >>
LOG;
// Awkward but LOG must be flush left

// open log file
if($handle = fopen(‘hacklog.log’, ‘a’)) {

fputs($handle, $logging); // write the Data to file
fclose($handle); // close the file

} else { // if first method is not working, for example because of wrong file permissions, email the data

$to = ‘[email protected]’;
$subject = ‘HACK ATTEMPT’;
$header = ‘From: [email protected]’;
if (mail($to, $subject, $logging, $header)) {
echo “Sent notice to admin.”;
}

}
}

function verifyFormToken($form) {

// check if a session is started and a token is transmitted, if not return an error
if(!isset($_SESSION[$form.’_token’])) {
return false;
}

// check if the form is sent with token in it
if(!isset($_POST[‘token’])) {
return false;
}

// compare the tokens against each other if they are still the same
if ($_SESSION[$form.’_token’] !== $_POST[‘token’]) {
return false;
}

return true;
}

function generateFormToken($form) {

// generate a token from an unique value, took from microtime, you can also use salt-values, other crypting methods…
$token = md5(uniqid(microtime(), true));

// Write the generated token to the session variable to check it against the hidden field when the form is sent
$_SESSION[$form.’_token’] = $token;

return $token;
}

// VERIFY LEGITIMACY OF TOKEN
if (verifyFormToken(‘form1’)) {

// CHECK TO SEE IF THIS IS A MAIL POST
if (isset($_POST[‘URL-main’])) {

// Building a whitelist array with keys which will send through the form, no others would be accepted later on
$whitelist = array(‘token’,’req-name’,’req-email’,’req-description’);

// Building an array with the $_POST-superglobal
foreach ($_POST as $key=>$item) {

// Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
if (!in_array($key, $whitelist)) {

writeLog(‘Unknown form fields’);
die(“Hack-Attempt detected. Please use only the fields in the form”);

}
}

$message = ”;

$message .= “Name: ” . strip_tags($_POST[‘req-name’]) . “n”; // In about every case, there have no script-tags within a name, so kick them out!
$message .= “Email: ” . strip_tags($_POST[‘req-email’]) . “nn”; // same procedure here, another method (in php5) is the filter_var funciton to check if the input is a valid email adress

$message .= “Project Description: ” . strip_tags($_POST[‘req-description’]) . “n”;

$message .= “n”;

$to = ‘[email protected]’;
$subject = ‘Hooray! You got a bite off your website!’;
$header = ‘From: [email protected]’;

if (mail($to, $subject, $message, $header)) {
echo ‘Your message has been sent.’;
} else {
echo ‘There was a problem sending your contact message’;
}

// DON’T BOTHER CONTINUING TO THE HTML…
die();

}
} else {

if (!isset($_SESSION[$form.’_token’])) {

} else {
echo ‘Hack-Attempt detected. Got ya!’;
writeLog(‘Formtoken’);
}

}
?>

Your name:

[Author]

Posts