0

I'm trying to add CSRF protection to my current form. I had a programmer assist me, but I feel like there is missing code. If he only did half the work than it's real unfortunate to those that may be oblivious to this.

Here is the session found in the index where the form is:

<?php
 session_start();
 $csrfToken= md5(uniqid());
 $_SESSION['csrfToken'] = $csrfToken;
 session_write_close();
?>

Here is the actual form part:

 <form id="popup-form" role="form" method="post" action="intake-form.php">
            <!-- This fields are taken from intake form but hidden -->
            <input type="hidden" name="csrfToken" value="<?php echo $csrfToken ?>" />

Here is part of the php file that sends the form. That I am "securing" , includes/SMTP includes the mail function that sends out the form. 

//Secure the Form
session_start();
$csrfToken = $_SESSION['csrfToken'];
unset($_SESSION['csrfToken']);
session_write_close();

if ($csrfToken && $_POST['csrfToken']==$csrfToken) {
// $email and $message are the data that is being
// posted to this page from our html contact form
$email = $_POST['email'] ;
$name = $_POST['name'] ;
$message = $_POST['message'] ;
$phone = $_POST['phone'] ;
$additional = $_POST['additionalInfo'] ;
$fundedOption = $_POST['fundedOption'] ;
include 'includes/smtp.php'; 
}
Brian Garcia
  • 35
  • 1
  • 8
  • What do you mean "Sends out the form"? This code emails a submitted form - though it doesn't do anything with the csrfKey hidden value.... – WillardSolutions Jul 28 '16 at 17:01
  • You must check the validity of the token when the form is submitted. – frz3993 Jul 28 '16 at 17:02
  • Hi, sorry for the confusion. It doesn't look like he added the CSRF protection to the actual file that processes and sends out the form. I don't see any references to the csrfToken. Shouldn't there be some kind of IF Statement that cross checks the session? – Brian Garcia Jul 28 '16 at 17:03
  • @BrianGarcia You are correct. – WillardSolutions Jul 28 '16 at 17:04
  • If the contact form doesn't require authentication, I suggest adding something like recaptcha into the mix. – frz3993 Jul 28 '16 at 17:05
  • how does all this tie together? are you using separate files, has the session been started in all pages using sessions etc.? question's unclear to me and the HTML form is incomplete. This should be a no-brainer really. – Funk Forty Niner Jul 28 '16 at 17:07
  • Then you have a named input `name="csrfKey"` but no POST/REQUEST/SESSION array posted. The HTML form's method is unknown. If it's POST, then why use REQUEST? – Funk Forty Niner Jul 28 '16 at 17:09
  • @Fred-ii- These are very good points. I'm not a programmer so I am trying to figure this out myself. I obviously don't hire competent people. There is not a session for each page, I can add it to the header include though that will reach all pages. I'll look into the other issues too. I needed a push in the right direction on where to start. – Brian Garcia Jul 28 '16 at 17:15
  • See these Q&A's, they will help you in the right direction http://stackoverflow.com/q/10466241/ --- http://stackoverflow.com/q/6287903/ --- https://www.owasp.org/index.php/PHP_CSRF_Guard - It's best you use a POST method for your form and use `$_POST` with the array values that match named inputs. Using error reporting is also useful when coding http://php.net/manual/en/function.error-reporting.php – Funk Forty Niner Jul 28 '16 at 17:20
  • (addendum to the above). Your inputs need to reside inside form tags `
    (other inputs and submit)
    ` etc., as a quick example. `xxx` here is the file handler you will be using.     – Funk Forty Niner Jul 28 '16 at 17:25
  • @Fred-ii- I edited my post to show the new changes. The form seems to be sending out correctly. – Brian Garcia Jul 28 '16 at 17:44
  • @BrianGarcia Great. I take it you closed off the form though with ``, correct? – Funk Forty Niner Jul 28 '16 at 17:45
  • @Fred-ii- Yes, of course. I'm a front-end guy who was thrown a back-end job so I am trying to get the job done... So, I'm not completely lost haha. Thanks for your help. – Brian Garcia Jul 28 '16 at 17:47
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/118568/discussion-between-brian-garcia-and-fred-ii). – Brian Garcia Jul 28 '16 at 17:49

0 Answers0