Exemple #1
0
 /**
  * Show the contact page
  * @param string $lang
  */
 public function index($lang = "")
 {
     // https://css-tricks.com/serious-form-security/
     $this->to_tpl['errors'] = array();
     $this->to_tpl['success'] = false;
     $this->set_language($lang);
     if ($lang == "sr") {
         $this->template = "contact-sr";
     } else {
         $this->template = "contact-en";
     }
     $this->set_page_name($this->language_titles["contact"][$lang]);
     if (isset($_POST['submit'])) {
         if (verify_form_token('contact')) {
             // Building a whitelist array with keys which will send through the form,
             // no others would be accepted later on
             $whitelist = array('token', 'name', 'email', 'message', 'submit');
             // Building an array with the $_POST-superglobal
             foreach ($_POST as $key => $item) {
                 // Check if the value $key (fieldname from $_POST)
                 // can be found in the whitelisting array,
                 // if not, die with a short message to the hacker
                 if (!in_array($key, $whitelist)) {
                     write_log('Unknown form fields');
                     die("Hack-Attempt detected. Please use only the fields in the form.");
                 }
             }
             // if pass, send email
             $from_name = stripcleantohtml($_POST['name']);
             $from_email = stripcleantohtml($_POST['email']);
             $message = cleantohtml($_POST['message']);
             $errors = $this->check_input($from_name, $from_email, $message);
             if (!empty($errors)) {
                 $this->to_tpl['errors'] = $errors;
                 $this->to_tpl['token'] = $_POST['token'];
                 return;
             }
             $send = $this->phpmailer($from_name, $from_email, $message);
             if ($send === true) {
                 $this->to_tpl['success'] = true;
             } else {
                 var_dump($send);
                 die;
                 //write_log('PHP Mailer error: ' . $send);
             }
         } else {
             write_log('Formtoken');
             die("Hack-Attempt detected.");
         }
         return;
     }
     // Generate a new token for the $_SESSION superglobal
     // and put them in a hidden field
     $this->to_tpl['token'] = generate_form_token('contact');
     return;
 }
<?php

function stripcleantohtml($s)
{
    return htmlentities(trim(strip_tags(stripslashes($s))), ENT_NOQUOTES, "UTF-8");
}
function cleantohtml($s)
{
    return strip_tags(htmlentities(trim(stripslashes($s)), ENT_NOQUOTES, "UTF-8"));
}
if ($_POST) {
    $name = stripcleantohtml($_POST["name"]);
    $mail = stripcleantohtml($_POST["mail"]);
    $object = stripcleantohtml($_POST["object"]);
    $user_message = cleantohtml($_POST["message"]);
    $to = '*****@*****.**';
    $subject = $object;
    $message = 'De ' . $name . ' <br><br>Mail : ' . $mail . '<br><br>Message :<br><br>' . $user_message;
    $headers = 'From: ' . $name . ' - ' . $mail;
    $headers = 'Content-Type : text/html; charset="utf8"';
    $send_mail = mail($to, $subject, $message, $headers);
}