static function process_form() { // Invoked at init via add_action // Do we process one of our forms now? if (isset($_POST['si_contact_action']) && 'send' == $_POST['si_contact_action'] && isset($_POST['form_id']) && is_numeric($_POST['form_id'])) { self::$form_id_num = (int) $_POST['form_id']; } else { // Error: no form id in $_POST return; } // prevent double action if (self::$form_processed) { return; } // begin logic that redirects on forged form token. $token = 'ok'; if (!isset($_POST['fs_postonce_' . self::$form_id_num]) || empty($_POST['fs_postonce_' . self::$form_id_num]) || strpos($_POST['fs_postonce_' . self::$form_id_num], ',') === false) { $token = 'bad'; } $vars = explode(',', $_POST['fs_postonce_' . self::$form_id_num]); if (empty($vars[0]) || empty($vars[1]) || !preg_match("/^[0-9]+\$/", $vars[1])) { $token = 'bad'; } if (wp_hash($vars[1]) != $vars[0]) { $token = 'bad'; } if ($token == 'bad') { // forgery token was no good, so redirect and blank the form self::$form_action_url = FSCF_Display::get_form_action_url(); wp_redirect(self::$form_action_url); exit; } self::$global_options = FSCF_Util::get_global_options(); self::$form_options = FSCF_Util::get_form_options(self::$form_id_num, $use_defauilts = true); // Do some security checks self::check_security(); self::validate_data(); self::$form_processed = true; if (empty(self::$form_errors)) { // Send the email, cleanup attachments, redirect. self::prepare_email(); if (self::$form_options['email_keep_attachments'] != 'true') { self::email_sent_cleanup_attachments(); } self::email_sent_redirect(); } if (!empty(self::$uploaded_files)) { // unlink (delete) attachment temp files foreach ((array) self::$uploaded_files as $path) { @unlink($path); } } }