kake26/contactform
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

csrf token added and filter changes

Browse source
This commit is contained in:
Paul M 2023-11-12 20:58:19 -06:00
parent 56c808c984
commit f47a26a7e7
2 changed files with 369 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

174
contactform.php
View file

@ -5,21 +5,33 @@
// Anti exploit code, not perfect but should throw a wrench into a bot's plan
// This code has been used on several sites before and does seem to do a decent job, not perfect but pretty good
// The form code is now part of the php file so when the form is loaded the php can run to extend the
// functionality of the rate limiting code
session_start();
$csrf_token = bin2hex(random_bytes(32));
if (!isset($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = $csrf_token;
}
//$_SESSION['csrf_token'] = $csrf_token;
class antibot {
private $passfail;
public $token;
function __constructor(){
$passfail = 0;
// beter way to filter input data
$_POST = filter_var_array($_POST, FILTER_UNSAFE_RAW);
$_GET = filter_var_array($_GET, FILTER_UNSAFE_RAW);
$_POST = filter_var_array($_POST, FILTER_SANITIZE_STRING);
$_GET = filter_var_array($_GET, FILTER_SANITIZE_STRING);
}
private function fromtest() {
if ($_SERVER['HTTP_REFERER'] = "http://yourwebsite.com/contactus/"){
if ($_SERVER['HTTP_REFERER'] = "https://urandom.link/contactform.php"){
$passfail = 1;
}
@ -56,7 +68,7 @@ class antibot {
// First clean the data
$fname = $_POST["fname"];
$lname = $_POST["lname"];
$email = $_POST["email"];
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$comments = $_POST["comments"];
// compile cleaned message
$msg = "From $fname Subject $lname email $email with message $comments";
@ -68,24 +80,162 @@ class antibot {
$this->ratetest();
$result = $this->traptest();
if($result == 3) {
$this->sndmsg("you@yoursite.com");
$this->sndmsg("webmaster@pngpst.net");
return 3;
}else{
return 0;
}
}
}
$lcheck = new antibot();
$winner = $lcheck->do_tests();
if ($winner == 3){
echo "Form Submitted thank you!";
}else{
echo "Error: Send failed, please try again.";
}
$antibot = new antibot();
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Check if the CSRF token is present
if (isset($_POST['csrf_token'])) {
$user_token = $_POST['csrf_token'];
// Check if the submitted token matches the stored session token
if ($user_token === $_SESSION['csrf_token']) {
// Token is valid, process the form
// ... Your form processing logic goes here ...
$winner = $antibot->do_tests();
if ($winner == 3){
echo "Form Submitted thank you!";
}else{
echo "Error: Send failed, please try again. -1";
}
} else {
// Invalid token, handle accordingly (e.g., log the incident, reject the form)
die("Error: Send failed, please try again. -2");
}
} else {
// CSRF token is not present, handle accordingly
die("Error: Send failed, please try again. -3");
}
} //else {
// Handle non-POST requests accordingly
//die("Invalid request method.");
//}
// $winner = $lcheck->do_tests();
//if ($winner == 3){
// echo "Form Submitted thank you!";
// }else{
// echo "Error: Send failed, please try again.";
//}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Urandom.link contact form</title>
</head>
<body>
<div id="container">
<div id="header">
<div id="headerleft">
<div id="title"><a href="https://urandom.link">Urandom.link</a><br />
<h3>Embrace the random!</h3>
</div>
</div>
<div id="headerright">
<div id="flickr">
</div>
</div>
</div>
</div>
<div id="content">
<div id="center">
<div class="post">
<h1><a href="#">Contact us</a></h1>
<div class="storycontent">
<div>
<form action="https://urandom.link/contactform.php" method="post" id="contact">
<table>
<tr>
<td>
Your Name: <input type="text" name="fname" />
</td></tr>
<tr>
<td>
Subject:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" name="lname" />
</td>
</tr>
<tr>
<td>
E-mail:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" name="email" />
</td>
</tr>
<tr>
<td>
Message:&nbsp;&nbsp;&nbsp; <textarea name="comments" cols="50" rows="25"></textarea>
</td>
</tr>
<tr>
<td>
<input type="text" name="website" style=" display: none;"/>
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>"/>
<button type="submit">Send Message </button>
</td>
</tr>
</table>
</form>
</div>
</div>
</div>
</div>
<div id="sidebar">
<div id="left">
</div>
</div>
<div style="clear: both"><br /></div>
<div id="footer">
<div id="footernote">
</div>
</div>
</body>
</html>

207
contactus.html Normal file
View file

@ -0,0 +1,207 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>New Hope Ranch</title>
<link href="https://nhrtc.rehab/style.css" rel="stylesheet" type="text/css" />
<script type="javascript" src="https://nhrtc.rehab/js/jquery.js"></script>
<script type="javascript" src="https://nhrtc.rehab/js/mod.js"></script>
<script type="javascript" src="https://nhrtc.rehab/js/frm.js"></script>
</head>
<body>
<div id="container">
<div id="header">
<div id="headerleft">
<div id="title"><a href="https://nhrtc.rehab">New H.O.P.E. Ranch</a><br />
<h3>Hold on, Pain ends</h3>
</div>
</div>
<div id="headerright">
<div id="flickr">
<img src="../new-hope-ranch-logo4small.png" style="float:right" alt="small logo"/></div>
</div>
</div>
</div>
<div id="content">
<div id="center">
<div class="post">
<h1><a href="#">Contact us</a></h1>
<div class="storycontent">
<div>
<form action="https://nhrtc.rehab/contactform.php" method="post" id="contact">
<table>
<tr>
<td>
Your Name: <input type="text" name="fname" />
</td></tr>
<tr>
<td>
Subject:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" name="lname" />
</td>
</tr>
<tr>
<td>
E-mail:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" name="email" />
</td>
</tr>
<tr>
<td>
Message:&nbsp;&nbsp;&nbsp; <textarea name="comments" cols="50" rows="25"></textarea>
</td>
</tr>
<tr>
<td>
<input type="text" name="website" style=" display: none;"/>
<button type="submit">Send Message </button>
</td>
</tr>
</table>
</form>
</div>
</div>
</div>
</div>
<div id="sidebar">
<div id="left">
<h2>Main Menu</h2>
<div id="bullet2">
<ul>
<li>
<a href="/">
<span>Home</span>
</a></li>
<li>
<a href="/about">
<span>About</span>
</a></li>
<li>
<a href="/benefits">
<span>Benefits of working with horses</span>
</a></li>
<li>
<a href="/comittment">
<span>Comittment to excellence</span>
</a></li>
<li>
<a href="/contactus">
<span>Contact Us</span>
</a></li>
<li>
<a href="/donations">
<span>Donations</span>
</a></li>
<li>
<a href="/ourprograms">
<span>Our Programs</span>
</a></li>
<li>
<a href="/values">
<span>Our Values</span>
</a></li>
<li class="">
<a href="/it">
<span>Ranch IT Page</span>
</a></li>
<ul class="sub-menu">
<li class="">
<a href="/it/software">Software</a>
</li>
</ul>
<li>
<a href="/whatwedo">
<span>What we do</span>
</a></li>
</ul>
</div>
</div>
</div>
</div>
<div style="clear: both"><br /></div>
<div id="footer">
<div id="footernote">
<p>
<a href="http://validator.w3.org/check?uri=nhrtc.rehab"><img
src="../valid-xhtml10.png" alt="Valid XHTML 1.0 Transitional" height="31" width="88" /></a>
</p>
</div>
</div>
</body>
</html>