function validate(&$d) { global $vmLogger, $VM_LANG; if (empty($d['sender_name'])) { $vmLogger->err($VM_LANG->_('CONTACT_FORM_NC', false)); return false; } if (empty($d['sender_mail']) || empty($d['recipient_mail'])) { $vmLogger->err($VM_LANG->_('CONTACT_FORM_NC', false)); return false; } $validate = vmGet($_POST, vmCreateHash(), 0); // probably a spoofing attack if (!$validate) { $vmLogger->err('Hash not valid - ' . vmCreateHash() . $VM_LANG->_('NOT_AUTH', false)); return false; } if (!$_SERVER['REQUEST_METHOD'] == 'POST') { $vmLogger->err('Request must be POSTed - ' . $VM_LANG->_('NOT_AUTH', false)); return false; } // Attempt to defend against header injections: $badStrings = array('Content-Type:', 'MIME-Version:', 'Content-Transfer-Encoding:', 'bcc:', 'cc:'); // Loop through each POST'ed value and test if it contains // one of the $badStrings: foreach ($_POST as $k => $v) { foreach ($badStrings as $v2) { if (strpos($v, $v2) !== false) { $vmLogger->err($VM_LANG->_('NOT_AUTH', false)); return false; } } } // Made it past spammer test, free up some memory // and continue rest of script: unset($v, $v2, $badStrings); $email = vmGet($_POST, 'email', ''); $text = vmGet($_POST, 'text', ''); $sender_mail = vmGet($_REQUEST, 'sender_mail', null); $recipient_mail = vmGet($_REQUEST, 'recipient_mail', null); $message = vmGet($_REQUEST, 'recommend_message', null); // Get Session Cookie `value` $sessioncookie = vmGet($_COOKIE, 'virtuemart', null); if (strlen($sessioncookie) < 16 || $sessioncookie == '-') { $vmLogger->err($VM_LANG->_('VM_COOKIE_MISSING') . '. ' . $VM_LANG->_('NOT_AUTH', false)); return false; } // test to ensure that only one email address is entered $check = explode('@', $email); if (strpos($email, ';') || strpos($email, ',') || strpos($email, ' ') || count($check) > 2) { $vmLogger->err($VM_LANG->_('EMAIL_ERR_ONLYONE')); return false; } if (!$email && !$sender_mail || !$text && !$message) { $vmLogger->err($VM_LANG->_('CONTACT_FORM_NC', false)); return false; } if (!empty($email)) { if (ps_communication::is_email($email) == false) { $vmLogger->err($VM_LANG->_('REGWARN_MAIL', false)); return false; } } if (!empty($sender_mail)) { if (!ps_communication::is_email($sender_mail) || !ps_communication::is_email($recipient_mail)) { $vmLogger->err($VM_LANG->_('EMAIL_ERR_NOINFO', false)); return false; } } return true; }