PDA

View Full Version : Hiding webform keys in PHP


gigiloumill
01-28-2012, 04:09 PM
Good morning guys: I have a rather technical question. The contact form if I have in a website has the following html

<form method="POST" name="myform" action="http://www.test.com/crm/test/test/test.php">
<input type="hidden" value="Contacts" name="moduleName" />
<input type="hidden" value="****************12345" name="appKey" />code:

When the reader hits submit, the form pushes the info to the action above and then it goes into a CRM. My question is: Is there a php script I can include in a page that I can send action to and have the keys in there? right now the keys are open to the public and obviously I have them to hide for security reasons..as always thanks in advance.

edbr
01-28-2012, 11:02 PM
its basically a variable so it can be converted . quick example below

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form action="" method="POST" name="form"><br />

<input name="first" type="text" /><br />

<input name="appkey" type="hidden" value="appkey" />
<br />
<input name="" type="submit" value="Submit" />



</form>
hidden value =<?php echo $_POST['appkey']; ?>

<?php if($_POST['appkey']=="appkey"){

$_POST['appkey']="111xxxxxxxx34" ;}

?><br />

new value =<?php echo $_POST['appkey']; ?>

</body>
</html>

gigiloumill
01-29-2012, 12:38 AM
Thanks E...I'll look into and post..

gigiloumill
01-29-2012, 12:51 AM
O.K. I tried it but I can't figure out where to include the action page:<form method="POST" name="myform" action="http://www.test.com/crm/test/test/test.php">

gigiloumill
01-29-2012, 12:57 AM
Here's the entire code i'm using..<form method="POST" name="myform" action="http://www.test.com/crm/test/test/test.php">
<input type="hidden" value="Contacts" name="moduleName" />
<input name="appkey" type="hidden" value="appkey" />
<label>
<span>Name:
</span>
<input type="text" name="firstname" id="firstname"/>

</label>
<label>
<span>lAST Name:
</span>
<input type="text" name="lastname" id="lastname"/>

</label>
<label>
<span>E-mail:
</span>
<input type="text" name="email" id="email"/>

</label>
<label>
<span>Subject:
</span>
<input type="text" name="subject" id="subject"/>

</label>
<label>
<span>Message:
</span>
<textarea name="message" id="message">
</textarea>
<input type="submit" class="button" value="Send" />

</label>

</form>
hidden value =<?php echo $_POST['appkey']; ?>

<?php if($_POST['appkey']=="appkey"){

$_POST['appkey']="*****************1234" ;}

?><br />

new value =<?php echo $_POST['appkey']; ?>
</div>
<div class="clear">
</div>

Thanks

edbr
01-29-2012, 01:38 AM
put the if condition at the begining of the http://www.test.com/crm/test/test/test.php as it wont be a POST value until submitted

gigiloumill
01-29-2012, 03:14 PM
O.K. E, this is what I got so far, after trying all different ways. <form method="POST" name="myform" <?php if($_POST['appkey']=="appkey"){

$_POST['appkey']="*****************12345" ;}

?> action="http://www.test.com/test/test/test/test.php" >

<input type="hidden" value="Contacts" name="moduleName" />
<input name="appkey" type="hidden" value="appkey" />
<label>
<span>Name:
</span>
<input type="text" name="firstname" id="firstname"/>

</label>
<label>
<span>lAST Name:
</span>
<input type="text" name="lastname" id="lastname"/>

</label>
<label>
<span>E-mail:
</span>
<input type="text" name="email" id="email"/>

</label>
<label>
<span>Subject:
</span>
<input type="text" name="subject" id="subject"/>

</label>
<label>
<span>Message:
</span>
<textarea name="message" id="message">
</textarea>
<input type="submit" class="button" value="Send" />

</label>

</form>


When I submit form, it obviously doesn't go in the crm. I can't find a spot to place these: hidden value =<?php echo $_POST['appkey']; ?>
new value =<?php echo $_POST['appkey']; ?>
It seems that no matter where I'd placed them, I get an error..Any other suggestions? Thanks

edbr
01-30-2012, 02:46 AM
you need to add <?php if($_POST['appkey']=="appkey"){

$_POST['appkey']="111xxxxxxxx34" ;}

?>

edit for actual key and form field name

gigiloumill
01-30-2012, 10:10 AM
E, I have added it everywhere, and it still doesn't work. I have followed your directions with no luck. Exactly where does this thing get placed? Thanks

edbr
01-31-2012, 12:16 AM
ok let me try step by step
the form will send a $_POST array
the hidden field will be sent to the script (http://www.test.com/test/test/test/test.php) as $_POST['appkey'] with the value appkey.

if you add
<?php if($_POST['appkey']=="appkey"){
$_POST['appkey']="111xxxxxxxx34" ;}
?>
before the script process ie at the top of the http://www.test.com/test/test/test/test.php page

then $_POST['appkey'] will be seen by the script as the new value.
I dont know how the script is coded but that should work

gigiloumill
01-31-2012, 10:15 AM
Thanks for all your help on this one E. I still couldn't get it to work. But, you gave him a hint, I followed it and it worked. I dont know how the script is coded but that should work..I actually included the keys to the sending script and worked..

gigiloumill
02-08-2012, 03:20 PM
E, I was able to hide the keys. But is't possible to hide the calling address in some php script?: action="http://www.test.com/crm/test/test/test.php">. All a spammer needs to do is cut and paste the entire form and send span to it. I just did it and it worked. Thanks.

edbr
02-09-2012, 12:16 AM
well you can add a refferers check but it is not fool proof, again a determined individual could get round that.
A captcha form could help as the field would be generated serverside and passed in a session ,

gigiloumill
02-09-2012, 01:34 AM
Thank. Captcha it is..