After viewing Chris's tutorial on 62-advanced-form-styling-functionality I decided to chose it and used it in a clients site. I changed the form slightly with different options. Changed some of the code in the header to reflect these changes. I developed this site locally using Xampp so I couldn't test the forms. Now they are on a live site and the forms don't actually work. I don't know why. Would someone be willing to look over this code to see if something is off for me?
<?php /* Template Name: Feedback */ ?> <?php
session_start();
function getRealIp() { if (!empty($_SERVER['HTTP_CLIENT_IP'])) { //check ip from share internet $ip=$_SERVER['HTTP_CLIENT_IP']; } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { //to check ip is pass from proxy $ip=$_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip=$_SERVER['REMOTE_ADDR']; } return $ip; }
function writeLog($where) {
$ip = getRealIp(); // Get the IP from superglobal $host = gethostbyaddr($ip); // Try to locate the host of the attack $date = date(\"d M Y\");
// create a logging message with php heredoc syntax $logging = <<<LOG \n << Start of Message >> There was a hacking attempt on your form. \n Date of Attack: {$date} IP-Adress: {$ip} \n Host of Attacker: {$host} Point of Attack: {$where} << End of Message >> LOG; // Awkward but LOG must be flush left
// open log file if($handle = fopen('hacklog.log', 'a')) {
fputs($handle, $logging); // write the Data to file fclose($handle); // close the file
} else { // if first method is not working, for example because of wrong file permissions, email the data
// check if a session is started and a token is transmitted, if not return an error if(!isset($_SESSION[$form.'_token'])) { return false; }
// check if the form is sent with token in it if(!isset($_POST['token'])) { return false; }
// compare the tokens against each other if they are still the same if ($_SESSION[$form.'_token'] !== $_POST['token']) { return false; }
return true; }
function generateFormToken($form) {
// generate a token from an unique value, took from microtime, you can also use salt-values, other crypting methods... $token = md5(uniqid(microtime(), true));
// Write the generated token to the session variable to check it against the hidden field when the form is sent $_SESSION[$form.'_token'] = $token;
return $token; }
// VERIFY LEGITIMACY OF TOKEN if (verifyFormToken('form1')) {
// CHECK TO SEE IF THIS IS A MAIL POST if (isset($_POST['req-phone'])) {
// Building a whitelist array with keys which will send through the form, no others would be accepted later on $whitelist = array('token','req-name','req-email','req-phone','req-position', 'curText', 'save-stuff');
// Building an array with the $_POST-superglobal foreach ($_POST as $key=>$item) {
// Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker if (!in_array($key, $whitelist)) {
writeLog('Unknown form fields'); die(\"Hack-Attempt detected. Please use only the fields in the form\");
} }
// Lets check the URL whether it's a real URL or not. if not, stop the script
To clarify this post. I have edited this form a few times over the past month. I don't expect a hand out, just someone who knows php to check and see if I combined something in the php which is preventing it from functioning correctly.
After viewing Chris's tutorial on 62-advanced-form-styling-functionality I decided to chose it and used it in a clients site. I changed the form slightly with different options. Changed some of the code in the header to reflect these changes. I developed this site locally using Xampp so I couldn't test the forms. Now they are on a live site and the forms don't actually work. I don't know why. Would someone be willing to look over this code to see if something is off for me?