Securing a form submit script

[lecrackffm]

Hello, 

thanks to many great posts in this Forum i managed do create a working script which saves a Form submit to a new page (including a file upload) via AJAX.

I still have to questions :

1. Does anyone see a security risk in this script? Its the first time im building something like that.

2. How can i prevent direct access via the url. i would like to throw a Wire404Exception then. I tried if($input->post-name) {...} .. but that gives me a 404 on the AJAX request if the name is left empty , which is not what i want.

Thanks for your support!

<?php 
$msg = ['name' => ['error' => 'Kein Name angegeben'],
					'vorname' => ['error' => 'Kein vorname angegeben'],
					'file' => ['error' => 'Keine Datei hochgeladen'],
					'wire' => ['error' => 'Unerwarteter Fehler, bitte nochmal versuchen'],
					'success' => ['success' => 'Bestellung erfolgreich abgeschlossen']
       ];

//Check if all input fields have Data. Everything will be checked via javascript in the frontend as well.
if(empty($_POST['name'])) {
	echo json_encode($msg['name']);
	return false;
}
if(empty($_POST['vorname'])) {
	echo json_encode($msg['vorname']);
	return false;
}
if(!isset($_FILES['doc'])|| $_FILES['doc']['error'] == UPLOAD_ERR_NO_FILE) {
	echo json_encode($msg['file']);
	return false;
}

$uploadPath = $config->paths->assets . "files/tmp_uploads/";

$doc = new WireUpload('doc');
$doc->setMaxFiles(1);
$doc->setOverwrite(false);
$doc->setDestinationPath($uploadPath);
$doc->setValidExtensions(array('pdf', 'jpg', 'png', 'jpeg'));

$documents = $doc->execute();

if(!count($documents)) {
echo json_encode($msg['wire']);
return false;
}

$np = new Page();
$np->template = $templates->get('new-order');
$np->parent = $pages->get('/bestellungen/');

//Populate fields with sanitized data
$np->title = "Neue Bestellung von " . $sanitizer->text($input->post->name);
$np->orderName = $sanitizer->text($input->post->name);
$np->orderVorname = $sanitizer->text($input->post->vorname);

$np->save();

foreach ($documents as $document) {
$pathname = $uploadPath . $document;
$np->orderFile->add($pathname);
unlink($pathname);
}

$np->save();

echo json_encode($msg['success']);

?>

 

[Thor]

Looks good to me. What page do you want to restrict exactly? The one that processes the form?

Two quick ideas come to my mind, restrict by IP the specific page (use your server IP or 127.0.0.1) or check the referer if it's coming from the previous page.

That way, the page can't be accessed directly by the public but only through the form. Another more clean and elegant way is to use the permission/groups with PW and make the form submit like logged as that user, but I'm also new to PW so I don't know exactly about that.

[lecrackffm]

Thanks for your looking over my code @thor.

What i was looking for is securing the site by using 

if($input->post->action == 'send'){}

but it seems not to work with when data is send via Ajax? 

i also tried using 

if($input->ajax) {}

but this is not working either.

I always end up in the else condition if i post the data. 

I am pretty sure there is, as always,  a pretty simple solution to my problem ??

 

[Robin S]

3 hours ago, lecrackffm said:

i also tried using 

if($input->ajax) {}

but this is not working either.

I think you want:

if($config->ajax) {}

$config->ajax

Quote

If the current request is an ajax (asynchronous javascript) request, this is set to true.

 

[lecrackffm]

@Robin SSorry, that was a typo. Of course i meant 

if($config->ajax) {}

Which is not working in my case.

It looks like somehow, the form submit is not beeing recognized as a Ajax request?

I am using the axios library in this case, but this should not make a difference, right?

[lecrackffm]

I figured it out: 

While using Axios.post() one has to set the Header explicitly to: 'X-Requested-With': 'XMLHttpRequest'

Just in case someone is facing the same Problem in the future:

axios.post('/pathTo/script/', yourData, {headers: {'X-Requested-With': 'XMLHttpRequest'}})

Have a nice weekend.