Jump to content

Securing a form submit script


lecrackffm
 Share

Recommended Posts

Hello, 

thanks to many great posts in this Forum i managed do create a working script which saves a Form submit to a new page (including a file upload) via AJAX.

I still have to questions :

1. Does anyone see a security risk in this script? Its the first time im building something like that.

2. How can i prevent direct access via the url. i would like to throw a Wire404Exception then. I tried if($input->post-name) {...} .. but that gives me a 404 on the AJAX request if the name is left empty , which is not what i want.

Thanks for your support!

<?php 
$msg = ['name' => ['error' => 'Kein Name angegeben'],
					'vorname' => ['error' => 'Kein vorname angegeben'],
					'file' => ['error' => 'Keine Datei hochgeladen'],
					'wire' => ['error' => 'Unerwarteter Fehler, bitte nochmal versuchen'],
					'success' => ['success' => 'Bestellung erfolgreich abgeschlossen']
       ];

//Check if all input fields have Data. Everything will be checked via javascript in the frontend as well.
if(empty($_POST['name'])) {
	echo json_encode($msg['name']);
	return false;
}
if(empty($_POST['vorname'])) {
	echo json_encode($msg['vorname']);
	return false;
}
if(!isset($_FILES['doc'])|| $_FILES['doc']['error'] == UPLOAD_ERR_NO_FILE) {
	echo json_encode($msg['file']);
	return false;
}

$uploadPath = $config->paths->assets . "files/tmp_uploads/";

$doc = new WireUpload('doc');
$doc->setMaxFiles(1);
$doc->setOverwrite(false);
$doc->setDestinationPath($uploadPath);
$doc->setValidExtensions(array('pdf', 'jpg', 'png', 'jpeg'));

$documents = $doc->execute();

if(!count($documents)) {
echo json_encode($msg['wire']);
return false;
}

$np = new Page();
$np->template = $templates->get('new-order');
$np->parent = $pages->get('/bestellungen/');

//Populate fields with sanitized data
$np->title = "Neue Bestellung von " . $sanitizer->text($input->post->name);
$np->orderName = $sanitizer->text($input->post->name);
$np->orderVorname = $sanitizer->text($input->post->vorname);

$np->save();

foreach ($documents as $document) {
$pathname = $uploadPath . $document;
$np->orderFile->add($pathname);
unlink($pathname);
}

$np->save();

echo json_encode($msg['success']);

?>

 

Link to comment
Share on other sites

Looks good to me. What page do you want to restrict exactly? The one that processes the form?

Two quick ideas come to my mind, restrict by IP the specific page (use your server IP or 127.0.0.1) or check the referer if it's coming from the previous page.

That way, the page can't be accessed directly by the public but only through the form. Another more clean and elegant way is to use the permission/groups with PW and make the form submit like logged as that user, but I'm also new to PW so I don't know exactly about that.

Link to comment
Share on other sites

  • 3 weeks later...

Thanks for your looking over my code @thor.

What i was looking for is securing the site by using 

if($input->post->action == 'send'){}

but it seems not to work with when data is send via Ajax? 

i also tried using 

if($input->ajax) {}

but this is not working either.

I always end up in the else condition if i post the data. 

I am pretty sure there is, as always,  a pretty simple solution to my problem ??

 

Link to comment
Share on other sites

@Robin SSorry, that was a typo. Of course i meant 

if($config->ajax) {}

Which is not working in my case.

It looks like somehow, the form submit is not beeing recognized as a Ajax request?

I am using the axios library in this case, but this should not make a difference, right?

Link to comment
Share on other sites

I figured it out: 

While using Axios.post() one has to set the Header explicitly to: 'X-Requested-With': 'XMLHttpRequest'

Just in case someone is facing the same Problem in the future:

axios.post('/pathTo/script/', yourData, {headers: {'X-Requested-With': 'XMLHttpRequest'}})

Have a nice weekend.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...