Forums

ChronoForms v8 is now WordPress ready, ChronoMails is out

The JED needs volunteers!

Form population via 3rd party &task=send error

al
alan.bagley 04 Mar, 2010
Hi all,

I have a form set up that a 3rd party will be using a script to populate, a local job board. The form is here:

http://nextmoveit.co.uk/index.php?option=com_chronocontact&chronoformname=upload_bean

The form is still in development so no validation is active at the moment.

The form works when data is entered and submit is hit, the output of the form can be seen here:

http://nextmoveit.co.uk/index.php?option=com_chronoconnectivity&connectionname=bean

In order the for 3rd party to be able to submit to the form they have to use the submit url, which is the following:

http://nextmoveit.co.uk/index.php?option=com_chronocontact&task=send&chronoformname=upload_bean

and I get the following error message:
There is no form with this name or may be the form is unpublished, Please check the form and the url and the form management

With De-bug on this is the output:



From: []
To: [email]alan@integrous.co.uk[/email]
CC:
BCC:
Subject: Broard Bean
Reference No: test
Job Title: test
Job type: test
Start date: test
Duration (if contract): test
Industry Sector: test
Salary: test
Benefits: test
Visa Required: test
Location: test
Job Summary test
Detailed Job Description test

Submitted by 80.45.133.94

Files:

1. Form passed first SPAM check OK
2. Form passed the submissions limit (if enabled) OK
3. Form passed the Image verification (if enabled) OK
4. Form passed the server side validation (if enabled) OK
5. $_POST Array: Array ( [job_reference] => test [job_title] => test [job_type] => test [job_startdate] => test [job_duration] => test [job_industry] => test [salary_per] => test [salary_benefits] => test [job_visa] => test [job_location] => test [job_summary] => test [job_description] => test [Submit2] => Submit [681fa44e8afdc6ae62ca6dceb79edaaa] => 1 [1cf1] => 9c8a5da9c9e8d23c54fd1b369218a273 [chronoformname] => upload_bean )
6. $_FILES Array: Array ( )
7. Form passed the plugins step (if enabled) OK
8. An email has been SENT successfully from () to [email]alan@integrous.co.uk[/email]
9. Debug End
10.
Redirect link set, click to test:
/index.php?option=com_content&view=article&id=13

Is there a way around this so that the 3rd party can submit remotly?

Please advise

Best regards
Alan
nm
nml375 04 Mar, 2010
Hi Alan,
Since Joomla v1.5.6 or so, there is a feature known as a "Token check". This is used to protect your site against unwanted cross-site submissions. Unfortunately, in your case, you'd like to allow this.

There are two steps for sorting this; in your form setup, there's an option on the General tab known as "Token Check", set this to no. Next, you'll have to edit the file chronocontact.php: locate the line below (around line 111):
        if((!JRequest::checkToken()) && $MyForm->formparams('checkToken', 1)){
                echo "You are not allowed to access this URL";
                return;
        }

Edit that like this:
        if($MyForm->formparams('checkToken', 1) && !JRequest::checkToken()){
                echo "You are not allowed to access this URL";
                return;
        }


Once you've changed the settings, and edit'd the file, your form should accept data from anywhere. I'd suggest you make use of the server-side validation however, and check the HTTP-referer header or something similar to prevent unwanted spam.

/Fredrik
Gr
GreyHead 04 Mar, 2010
Hi alan.bagley,

Try turning the CheckToken off in the Form General Tab. That will be half of it. There's also a ChronoForms hidden token, I'm not sure if that will stop the submission or not. If it does we'll need to think some more.

Bob

Fredrik's given you more info I see :-)
al
alan.bagley 04 Mar, 2010
Hi Fredrik,

thanks that worked a treat. I have been talking with the 3rd party and the form itself will not be used, just the submit link, so I have added a token check in the form code, something that GreyHead mentioned a week or so ago, so the top of the form reads:


<?php
if ( !$mainframe->isSite() ) { return; }
$token = JRequest::getString('token', '', 'get');
if ( $token != 'X25YqrY8zs' ) {
$mainframe->redirect('index.php');
}
?>
<table width="100%" border="0" cellspacing="2" cellpadding="2">
  <tr> 
    <td>Reference No:</td>

etc...

You mentioned using server-side validation to check the HTTP-referer header, I can see this in the admin section under the Validation tab, do you have and example of the code I would need to use at all?

Thanks again for all the support

Regards
Alan
nm
nml375 04 Mar, 2010
Hi Alan,
Since you don't intend to use the form part, the on-submit box would suffice well, or perhaps be preferable to the server-side validation (serverside-validation will try to show the form again, it is not smart enough however to realize the form is on a remote site).

To test the HTTP-referer, you could use something like this in your form code:
<?
if (!isset($_SERVER['HTTP_REFERER']) || $_SERVER['HTTP_REFERER'] != 'http://www.somesite.tld/form.html') {
  $mainframe->redirect('index.php');
}


The HTTP-Referer header isn't foolproof, as it's something the remote client is providing (evil clients could lie about this). It does however make it slightly more difficult for spambots to get all "criterias" correct.

/Fredrik
al
alan.bagley 05 Mar, 2010
Hi /Fredrik,

thanks again, so would this code work if I have a range of IP addresses, would I do the following:


<?
if (!isset($_SERVER['HTTP_REFERER']) || $_SERVER['HTTP_REFERER'] != '83.223.97.130' || '83.223.97.254' || '83.223.97.130' ) {
  $mainframe->redirect('index.php');
}

the 3rd party said the following:
The current range of IP that can / will submit is as follows:

The current range is
83.223.97.130 through to 83.223.97.254,
213.165.2.150 through to
213.165.2.250 (213.165.2.128/25).

So how would I allow these in the in addition to please allow HTTP_REFERER ?

Regards
Alan
Gr
GreyHead 05 Mar, 2010
Hi alan.bagley,

I think that you just write a code snippet to match these, there are some problems in making sure that the IP address comes in a consistent style.
<?php
if ( !isset($_SERVER['HTTP_REFERER']) {
  $mainframe->redirect('index.php');
  return;
}
$url = explode(',', $_SERVER['HTTP_REFERER']);
if ( $url[0] == 83 && $url[1] == 223 && $url[2] == 97 && ( $url[3] >= 130 || $url[3] <= 254) ) {
  $mainframe->redirect('index.php');
  return;
} elseif ( $url[0] == 213 && $url[1] == 165 && $url[2] == 2 && ( $url[3] >= 150 || $url[3] <= 250) ) {
  $mainframe->redirect('index.php');
  return;
} 
?>

Bob
al
alan.bagley 05 Mar, 2010
Thanks Bob, will give that ago

Regards
Alan
nm
nml375 05 Mar, 2010
Hi Alan,
Just a question; you said the list of IP's were of those who could/would submit the form.
Is that the clients who would use the 3rd party form, or site(s) that would host the form?

The HTTP-Referer will point to the form used by the user, not the user him/herself. Meanwhile, the $_SERVER['REMOTE_ADDR'] should hold the IP of the user submitting the data, while $_SERVER['REMOTE_HOST'] should hold the hostname of the same.

/Fredrik
al
alan.bagley 08 Mar, 2010
Hi /Fredrik,

the list of IP's are that of the 3rd party, so thanks for the advice, really appreciated

Regards
Alan
This topic is locked and no more replies can be posted.