CODEWITHSUNDEEP
phpformsargument-passing
Sebastian Starke
Sebastian Starke

Reputation: 5317

secure way of passing form variable

Im building a contact form for my wordpress theme. I want the ability to enter a receiver adress from the backend. At the moment I am passing the variable with a hidden input field.

<input type="text" class="hidden" name="receiver" value="<?php get_option('admin_email') ?>"/>

I read that I shouln't do this, because its insecure. But how would I do it then?

Edit: Here is my process.php. I tried to get the admin email but that breaks it somehow.

<?php if( isset($_POST) ){

    //form validation vars
    $formok = true;
    $errors = array();

    //sumbission data
    $ipaddress = $_SERVER['REMOTE_ADDR'];
    $date = date('d.m.Y');
    $time = date('H:i');

    //form data
    $name = $_POST['name']; 
    $email = $_POST['email'];
    $website = $_POST['website'];
    $budget = $_POST['budget'];
    $message = $_POST['message'];

    $receiver = $_POST['receiver'];
    $sender = get_option('admin_email');

    if(empty($name)){
        $formok = false;
        $errors[] = "Sie haben keinen Namen angegeben.";
    }

    if(empty($email)){
        $formok = false;
        $errors[] = "Sie haben keine Emailadresse angegeben.";
    //validate email address
    }elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){
        $formok = false;
        $errors[] = "Sie haben keine gültige Emailadresse angegeben.";
    }

    if(empty($message)){
        $formok = false;
        $errors[] = "Das Nachrichtenfeld ist leer.";
    }
    elseif(strlen($message) < 20){
        $formok = false;
        $errors[] = "Ihre Nachricht muss mindestens 20 Zeichen enthalten.";
    }

    if($formok){
        $headers = "From: {$email}" . "\r\n";
        $headers .= 'Content-type: text/html; charset=UTF-8' . "\r\n";

        $emailbody = "<p><strong>Name: </strong> {$name} </p>
                      <p><strong>Website: </strong> {$website} </p>
                      <p><strong>Nachricht: </strong> {$message} </p>
                      <p>Diese Nachricht wurde am {$date} um {$time} über {$sender} gesendet.</p>";

        if($receiver){
            mail($receiver,"Anfrage ".$name,$emailbody,$headers);
        }
        else{
            mail('[email protected]',"Error",$emailbody,$headers);
        }
    }

    //what we need to return back to our form
    $returndata = array(
        'posted_form_data' => array(
            'name' => $name,
            'email' => $email,
            'website' => $website,
            'budget' => $budget,
            'message' => $message
        ),
        'form_ok' => $formok,
        'errors' => $errors
    );

    //if this is not an ajax request
    if(empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest'){
        //set session variables
        session_start();
        $_SESSION['cf_returndata'] = $returndata;

        //redirect back to form
        header('location: ' . $_SERVER['HTTP_REFERER']);
    }
}

Upvotes: 2

Views: 435

Answers (3)

ChrisLTD
ChrisLTD

Reputation: 433

Put your form processing code inside a Wordpress page template, then you can use get_option('admin_email') in the backend form code and never have to expose it on a public web page.

Upvotes: 0

Nir Alfasi
Nir Alfasi

Reputation: 53525

Since you know the receiver address - you shouldn't pass it. When the form is submitted - you can use the backend PHP script to send it without exposing it to the user at all!

Upvotes: 3

Andrew Robinson
Andrew Robinson

Reputation: 31

Use sessions. When the user submits send the data to the following SQL query that will parse all your data

Upvotes: 2

Related Questions