Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    New Coder
    Join Date
    Apr 2011
    Posts
    65
    Thanks
    10
    Thanked 0 Times in 0 Posts

    Help me finish securing my web form

    Hi, i'm very inexperienced when it comes to php and i'm trying to secure a web-form i've created. I think i'm almost done but i don't seem to be able to implement CAPTCHA properly. The widget shows up in the form but i'm not sure if it is validating. I know i'm missing a couple of vital bits of code but i don't know what they are.

    I want to my form to be validated by my own code first, then if the input is validated i want to check if the CAPTCHA input is correct. Can someone help me out please?

    Code:
    <div id="contact-form" class="clearfix">
    					<h1>Get In Touch!</h1>
    					<h2>
    						Please provide as much information as possible for me to help you with your enquiry
    					</h2>
    					<?php  
    						//init variables  
    						$cf = array();  
    						$sr = false;  
    							
    						if(isset($_SESSION['cf_returndata'])){  
    								$cf = $_SESSION['cf_returndata'];  
    								$sr = true;  
    						}  
    					?>  
    					<ul id="errors" class="<?php echo ($sr && !$cf['form_ok']) ? 'visible' : ''; ?>">  
    						<li id="info">There were some problems with your form submission:</li>  
    						<?php  
    						if(isset($cf['errors']) && count($cf['errors']) > 0) :  
    								foreach($cf['errors'] as $error) :  
    						?>  
    						<li><?php echo $error ?></li>  
    						<?php  
    								endforeach;  
    						endif;  
    						?>  
    					</ul>  
    					<p id="success" class="<?php echo ($sr && $cf['form_ok']) ? 'visible' : ''; ?>">Thanks for your message! We will get back to you ASAP!</p> 
    					<form method="post" action="process.php">
    						<label for="name">Name: <span class="required">*</span></label>  
    						<input type="text" id="name" name="name" value="<?php echo ($sr && !$cf['form_ok']) ? $cf['posted_form_data']['name'] : '' ?>" placeholder="John Doe" required="required" autofocus="autofocus" />  
    								
    						<label for="email">Email Address: <span class="required">*</span></label>  
    						<input type="email" id="email" name="email" value="<?php echo ($sr && !$cf['form_ok']) ? $cf['posted_form_data']['email'] : '' ?>" placeholder="johndoe@example.com" required="required" />  
    		
    						<label for="message">Message: <span class="required">*</span></label>  
    						<textarea id="message" name="message" placeholder="Your message must be greater than 20 charcters" required="required" data-minlength="20"><?php echo ($sr && !$cf['form_ok']) ? $cf['posted_form_data']['message'] : '' ?></textarea>  
    							
    						<span id="loading"></span>  
    						
    						<!--recaptcha-->
    						<?php
    							require_once('recaptchalib.php');
    							$publickey = "6Leb48cSAAAAALi84SNJgUgrgKNbfstSQu1Y1GJj"; 
    							echo recaptcha_get_html($publickey);
    						?>
    						
    						<input type="submit" value="Send!" id="submit-button" />  
    						<p id="req-field-desc"><span class="required">*</span> indicates a required field</p> 
    					</form>
    				<?php unset($_SESSION['cf_returndata']); ?>  	
    				</div>
    PHP Code:
    <?php        // captcha
      
    require_once('recaptchalib.php');
      
    $privatekey "6Leb48cSAAAAALzy2VHGtkGniE-8o5KJcoQkyjA7";
      
    $resp recaptcha_check_answer ($privatekey,
                                    
    $_SERVER["REMOTE_ADDR"],
                                    
    $_POST["recaptcha_challenge_field"],
                                    
    $_POST["recaptcha_response_field"]);

      if (!
    $resp->is_valid) {
        
    // What happens when the CAPTCHA was entered incorrectly
        
    die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
             
    "(reCAPTCHA said: " $resp->error ")");
      } else {
        
    // Your code here to handle a successful verification
      
    }
    ?>

    <?php
    if( isset($_POST) ){

        
    //security functions
        
        
    function cleanInput($input) {

      
    $search = array(
        
    '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
        
    '@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
        
    '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
        
    '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
      
    );

        
    $output preg_replace($search''$input);
        return 
    $output;
      }

        
        function 
    sanitize($input) {
        if (
    is_array($input)) {
            foreach(
    $input as $var=>$val) {
                
    $output[$var] = sanitize($val);
            }
        }
        else {
            if (
    get_magic_quotes_gpc()) {
                
    $input stripslashes($input);
            }
            
    $input  cleanInput($input);
            
    $output mysql_real_escape_string($input);
        }
        return 
    $output;
        }


        
    //form validation vars
        
    $formok true;
        
    $errors = array();

        
    //sumbission data
        
    $ipaddress $_SERVER['REMOTE_ADDR'];
        
    $date date('d/m/Y');
        
    $time date('H:i:s');

        
    //form data
        
    $name sanitize($_POST['name']);
        
    $email sanitize($_POST['email']);
        
    $message sanitize($_POST['message']);

        
    //form validation to go here....
        
        //validate name is not empty  
        
    if(empty($name)){  
         
    $formok false;  
         
    $errors[] = "You have not entered a name";  
        } 

        
    //validate email address is not empty  
        
    if(empty($email)){  
            
    $formok false;  
            
    $errors[] = "You have not entered an email address";  
        
    //validate email address is valid  
        
    }elseif(!filter_var($emailFILTER_VALIDATE_EMAIL)){  
            
    $formok false;  
            
    $errors[] = "You have not entered a valid email address";  
        }  
        
        
    //validate message is not empty  
        
    if(empty($message)){  
            
    $formok false;  
            
    $errors[] = "You have not entered a message";  
        }  
        
    //validate message is greater than 20 charcters  
        
    elseif(strlen($message) < 20){  
            
    $formok false;  
            
    $errors[] = "Your message must be greater than 20 characters";  
        }  
        
        
    //send email if all is ok  
        
    if($formok){  
        
    $headers "From: {$email}" "\r\n";  
        
    $headers .= 'Content-type: text/html; charset=iso-8859-1' "\r\n";  
      
        
    $emailbody "<p>You have recieved a new message from the enquiries form on your website.</p> 
                      <p><strong>Name: </strong> {$name} </p> 
                      <p><strong>Email Address: </strong> {$email} </p> 
                      <p><strong>Message: </strong> {$message} </p> 
                      <p>This message was sent from the IP Address: {$ipaddress} on {$date} at {$time}</p>"
    ;  
      
        
    mail("xxxxxxxxx@gmail.com","New Enquiry",$emailbody,$headers);  
      
        }  
        
        
    //what we need to return back to our form  
        
    $returndata = array(  
        
    'posted_form_data' => array(  
                
    'name' => $name,  
                
    'email' => $email,  
                
    'message' => $message  
        
    ),  
                
    'form_ok' => $formok,  
                
    'errors' => $errors  
        
    );  
        
        
    //if this is not an ajax request  
        
    if(empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest'){  
      
        
    //set session variables  
        
    session_start();  
        
    $_SESSION['cf_returndata'] = $returndata;  
      
        
    //redirect back to form  
        
    header('location: ' $_SERVER['HTTP_REFERER']);  
      
        }  

    }
    Last edited by gnolan; 09-07-2011 at 02:53 PM.

  • #2
    New Coder
    Join Date
    Apr 2011
    Posts
    65
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Any chance of some help with this one? I've read over the google documentation a few times but to no avail.

    The code seems to be validating the captcha input - that is to say, if the input is correct it sends an email, if it is incorrect it doesn't. The problem is that no matter what the captcha input, it will thank the user for the message and appear to be successful even if it is not.

  • #3
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,368
    Thanks
    262
    Thanked 32 Times in 31 Posts
    just a thought here, i got away from using captcha along time ago because bots as you know have a way around many of them, stupid smartbots.

    Most everyone i know is either going toward visual captcha or question captcha.

    Just thought i might ask if you have considered either of those before you get too deep here.

    A question anti bot is so easy to do, just assign a session answer, put the input in your form, if it matches great if not error.

    Many bots cannot think for themselves which is why like most i got away from the normal captcha and went with anit bot question.

    Just thought i would ask, are you dead set on normal captcha?

  • #4
    New Coder
    Join Date
    Apr 2011
    Posts
    65
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by durangod View Post
    just a thought here, i got away from using captcha along time ago because bots as you know have a way around many of them, stupid smartbots.

    Most everyone i know is either going toward visual captcha or question captcha.

    Just thought i might ask if you have considered either of those before you get too deep here.

    A question anti bot is so easy to do, just assign a session answer, put the input in your form, if it matches great if not error.

    Many bots cannot think for themselves which is why like most i got away from the normal captcha and went with anit bot question.

    Just thought i would ask, are you dead set on normal captcha?
    No i'm not dead set on it at all. In fact, i think it's a bit ugly and clunky on the page. Given that I know very little about it could you give me a quick rundown on how to implement a question anti-bot, or provide a link to some simple instructions? Thanks.

  • #5
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,368
    Thanks
    262
    Thanked 32 Times in 31 Posts
    yeah anti bot is so much easier.

    i wrote some instructions about this on one of my sites, here ya go. It will give you the general idea behind it.

    http://www.datingsiteownerforum.com/...t=anti+bot#p59

    hope that helps you.. if you need anything let us know, the great guys and gals here will be glad to help ya.

    Just remember the anti bot is very flexible you can have the text say anything you want, how many letters in a word, what color is the sky, multiply this by this and post results, whatever you like, as long as the input and session answer match, your good to go.
    Last edited by durangod; 09-08-2011 at 02:45 PM.

  • #6
    New Coder
    Join Date
    Apr 2011
    Posts
    65
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by durangod View Post
    yeah anti bot is so much easier.

    i wrote some instructions about this on one of my sites, here ya go. It will give you the general idea behind it.

    http://www.datingsiteownerforum.com/...t=anti+bot#p59

    hope that helps you.. if you need anything let us know, the great guys and gals here will be glad to help ya.

    Just remember the anti bot is very flexible you can have the text say anything you want, how many letters in a word, what color is the sky, multiply this by this and post results, whatever you like, as long as the input and session answer match, your good to go.
    Thanks for the link. I went searching for 'anti-bot question' and one of the matches came up with something that wouldn't have occurred to me: creating an input field that is hidden on the form. This can't be filled in by the user but will be filled by any bots. I perform a check in my process.php file to check that the input field is empty, if so the email is sent, if not no email is sent.

    Is this still a good way to avoid spam?

  • #7
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,368
    Thanks
    262
    Thanked 32 Times in 31 Posts
    That is the first i have heard of that. My first question is how are you going to get bots to fill it in? I guess im not understanding if users cant input how will bots input?

    You could also be leaving yourself wide open because if somehow the bots learn no imput is required then they can run a muck sending spam.

    I would prefer to make them think on the answer, the more you make them think the more you can be assured it is a live person sitting there at the keyboard not a bot.

  • #8
    New Coder
    Join Date
    Apr 2011
    Posts
    65
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by durangod View Post
    That is the first i have heard of that. My first question is how are you going to get bots to fill it in? I guess im not understanding if users cant input how will bots input?

    You could also be leaving yourself wide open because if somehow the bots learn no imput is required then they can run a muck sending spam.

    I would prefer to make them think on the answer, the more you make them think the more you can be assured it is a live person sitting there at the keyboard not a bot.
    Apparently the bots won't see the page as we do in the browser. They will simply look at the markup, search for any forms and fill out whatever inputs are there. So the input field will be visible in the the HTML but is hidden from the user through "display: hidden" in the CSS file.

  • #9
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,368
    Thanks
    262
    Thanked 32 Times in 31 Posts
    wow interesting, i guess you would be leaving alot up to chance that they are programmed to fill out every field.

  • #10
    New Coder
    Join Date
    Apr 2011
    Posts
    65
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by durangod View Post
    wow interesting, i guess you would be leaving alot up to chance that they are programmed to fill out every field.
    Maybe, maybe not. There's no indication in the html that this field should or should not be filled out so i'm hoping i'll be ok.

    Can you tell me if my sanitizing code looks alright?


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •