Hi all,
I have a form set up that a 3rd party will be using a script to populate, a local job board. The form is here:
http://nextmoveit.co.uk/index.php?option=com_chronocontact&chronoformname=upload_bean
The form is still in development so no validation is active at the moment.
The form works when data is entered and submit is hit, the output of the form can be seen here:
http://nextmoveit.co.uk/index.php?option=com_chronoconnectivity&connectionname=bean
In order the for 3rd party to be able to submit to the form they have to use the submit url, which is the following:
http://nextmoveit.co.uk/index.php?option=com_chronocontact&task=send&chronoformname=upload_bean
and I get the following error message:
There is no form with this name or may be the form is unpublished, Please check the form and the url and the form management
With De-bug on this is the output:
From: []
To: [email]alan@integrous.co.uk[/email]
CC:
BCC:
Subject: Broard Bean
Reference No: test
Job Title: test
Job type: test
Start date: test
Duration (if contract): test
Industry Sector: test
Salary: test
Benefits: test
Visa Required: test
Location: test
Job Summary test
Detailed Job Description test
Submitted by 80.45.133.94
Files:
1. Form passed first SPAM check OK
2. Form passed the submissions limit (if enabled) OK
3. Form passed the Image verification (if enabled) OK
4. Form passed the server side validation (if enabled) OK
5. $_POST Array: Array ( [job_reference] => test [job_title] => test [job_type] => test [job_startdate] => test [job_duration] => test [job_industry] => test [salary_per] => test [salary_benefits] => test [job_visa] => test [job_location] => test [job_summary] => test [job_description] => test [Submit2] => Submit [681fa44e8afdc6ae62ca6dceb79edaaa] => 1 [1cf1] => 9c8a5da9c9e8d23c54fd1b369218a273 [chronoformname] => upload_bean )
6. $_FILES Array: Array ( )
7. Form passed the plugins step (if enabled) OK
8. An email has been SENT successfully from () to [email]alan@integrous.co.uk[/email]
9. Debug End
10.
Redirect link set, click to test:
/index.php?option=com_content&view=article&id=13
Is there a way around this so that the 3rd party can submit remotly?
Please advise
Best regards
Alan
I have a form set up that a 3rd party will be using a script to populate, a local job board. The form is here:
http://nextmoveit.co.uk/index.php?option=com_chronocontact&chronoformname=upload_bean
The form is still in development so no validation is active at the moment.
The form works when data is entered and submit is hit, the output of the form can be seen here:
http://nextmoveit.co.uk/index.php?option=com_chronoconnectivity&connectionname=bean
In order the for 3rd party to be able to submit to the form they have to use the submit url, which is the following:
http://nextmoveit.co.uk/index.php?option=com_chronocontact&task=send&chronoformname=upload_bean
and I get the following error message:
There is no form with this name or may be the form is unpublished, Please check the form and the url and the form management
With De-bug on this is the output:
From: []
To: [email]alan@integrous.co.uk[/email]
CC:
BCC:
Subject: Broard Bean
Reference No: test
Job Title: test
Job type: test
Start date: test
Duration (if contract): test
Industry Sector: test
Salary: test
Benefits: test
Visa Required: test
Location: test
Job Summary test
Detailed Job Description test
Submitted by 80.45.133.94
Files:
1. Form passed first SPAM check OK
2. Form passed the submissions limit (if enabled) OK
3. Form passed the Image verification (if enabled) OK
4. Form passed the server side validation (if enabled) OK
5. $_POST Array: Array ( [job_reference] => test [job_title] => test [job_type] => test [job_startdate] => test [job_duration] => test [job_industry] => test [salary_per] => test [salary_benefits] => test [job_visa] => test [job_location] => test [job_summary] => test [job_description] => test [Submit2] => Submit [681fa44e8afdc6ae62ca6dceb79edaaa] => 1 [1cf1] => 9c8a5da9c9e8d23c54fd1b369218a273 [chronoformname] => upload_bean )
6. $_FILES Array: Array ( )
7. Form passed the plugins step (if enabled) OK
8. An email has been SENT successfully from () to [email]alan@integrous.co.uk[/email]
9. Debug End
10.
Redirect link set, click to test:
/index.php?option=com_content&view=article&id=13
Is there a way around this so that the 3rd party can submit remotly?
Please advise
Best regards
Alan
Hi Alan,
Since Joomla v1.5.6 or so, there is a feature known as a "Token check". This is used to protect your site against unwanted cross-site submissions. Unfortunately, in your case, you'd like to allow this.
There are two steps for sorting this; in your form setup, there's an option on the General tab known as "Token Check", set this to no. Next, you'll have to edit the file chronocontact.php: locate the line below (around line 111):
Edit that like this:
Once you've changed the settings, and edit'd the file, your form should accept data from anywhere. I'd suggest you make use of the server-side validation however, and check the HTTP-referer header or something similar to prevent unwanted spam.
/Fredrik
Since Joomla v1.5.6 or so, there is a feature known as a "Token check". This is used to protect your site against unwanted cross-site submissions. Unfortunately, in your case, you'd like to allow this.
There are two steps for sorting this; in your form setup, there's an option on the General tab known as "Token Check", set this to no. Next, you'll have to edit the file chronocontact.php: locate the line below (around line 111):
if((!JRequest::checkToken()) && $MyForm->formparams('checkToken', 1)){
echo "You are not allowed to access this URL";
return;
}Edit that like this:
if($MyForm->formparams('checkToken', 1) && !JRequest::checkToken()){
echo "You are not allowed to access this URL";
return;
}Once you've changed the settings, and edit'd the file, your form should accept data from anywhere. I'd suggest you make use of the server-side validation however, and check the HTTP-referer header or something similar to prevent unwanted spam.
/Fredrik
Hi alan.bagley,
Try turning the CheckToken off in the Form General Tab. That will be half of it. There's also a ChronoForms hidden token, I'm not sure if that will stop the submission or not. If it does we'll need to think some more.
Bob
Fredrik's given you more info I see :-)
Try turning the CheckToken off in the Form General Tab. That will be half of it. There's also a ChronoForms hidden token, I'm not sure if that will stop the submission or not. If it does we'll need to think some more.
Bob
Fredrik's given you more info I see :-)
Hi Fredrik,
thanks that worked a treat. I have been talking with the 3rd party and the form itself will not be used, just the submit link, so I have added a token check in the form code, something that GreyHead mentioned a week or so ago, so the top of the form reads:
etc...
You mentioned using server-side validation to check the HTTP-referer header, I can see this in the admin section under the Validation tab, do you have and example of the code I would need to use at all?
Thanks again for all the support
Regards
Alan
thanks that worked a treat. I have been talking with the 3rd party and the form itself will not be used, just the submit link, so I have added a token check in the form code, something that GreyHead mentioned a week or so ago, so the top of the form reads:
<?php
if ( !$mainframe->isSite() ) { return; }
$token = JRequest::getString('token', '', 'get');
if ( $token != 'X25YqrY8zs' ) {
$mainframe->redirect('index.php');
}
?>
<table width="100%" border="0" cellspacing="2" cellpadding="2">
<tr>
<td>Reference No:</td>
etc...
You mentioned using server-side validation to check the HTTP-referer header, I can see this in the admin section under the Validation tab, do you have and example of the code I would need to use at all?
Thanks again for all the support
Regards
Alan
Hi Alan,
Since you don't intend to use the form part, the on-submit box would suffice well, or perhaps be preferable to the server-side validation (serverside-validation will try to show the form again, it is not smart enough however to realize the form is on a remote site).
To test the HTTP-referer, you could use something like this in your form code:
The HTTP-Referer header isn't foolproof, as it's something the remote client is providing (evil clients could lie about this). It does however make it slightly more difficult for spambots to get all "criterias" correct.
/Fredrik
Since you don't intend to use the form part, the on-submit box would suffice well, or perhaps be preferable to the server-side validation (serverside-validation will try to show the form again, it is not smart enough however to realize the form is on a remote site).
To test the HTTP-referer, you could use something like this in your form code:
<?
if (!isset($_SERVER['HTTP_REFERER']) || $_SERVER['HTTP_REFERER'] != 'http://www.somesite.tld/form.html') {
$mainframe->redirect('index.php');
}The HTTP-Referer header isn't foolproof, as it's something the remote client is providing (evil clients could lie about this). It does however make it slightly more difficult for spambots to get all "criterias" correct.
/Fredrik
Hi /Fredrik,
thanks again, so would this code work if I have a range of IP addresses, would I do the following:
the 3rd party said the following:
The current range of IP that can / will submit is as follows:
The current range is
83.223.97.130 through to 83.223.97.254,
213.165.2.150 through to
213.165.2.250 (213.165.2.128/25).
So how would I allow these in the in addition to please allow HTTP_REFERER ?
Regards
Alan
thanks again, so would this code work if I have a range of IP addresses, would I do the following:
<?
if (!isset($_SERVER['HTTP_REFERER']) || $_SERVER['HTTP_REFERER'] != '83.223.97.130' || '83.223.97.254' || '83.223.97.130' ) {
$mainframe->redirect('index.php');
}
the 3rd party said the following:
The current range of IP that can / will submit is as follows:
The current range is
83.223.97.130 through to 83.223.97.254,
213.165.2.150 through to
213.165.2.250 (213.165.2.128/25).
So how would I allow these in the in addition to please allow HTTP_REFERER ?
Regards
Alan
Hi alan.bagley,
I think that you just write a code snippet to match these, there are some problems in making sure that the IP address comes in a consistent style.
Bob
I think that you just write a code snippet to match these, there are some problems in making sure that the IP address comes in a consistent style.
<?php
if ( !isset($_SERVER['HTTP_REFERER']) {
$mainframe->redirect('index.php');
return;
}
$url = explode(',', $_SERVER['HTTP_REFERER']);
if ( $url[0] == 83 && $url[1] == 223 && $url[2] == 97 && ( $url[3] >= 130 || $url[3] <= 254) ) {
$mainframe->redirect('index.php');
return;
} elseif ( $url[0] == 213 && $url[1] == 165 && $url[2] == 2 && ( $url[3] >= 150 || $url[3] <= 250) ) {
$mainframe->redirect('index.php');
return;
}
?>Bob
Thanks Bob, will give that ago
Regards
Alan
Regards
Alan
Hi Alan,
Just a question; you said the list of IP's were of those who could/would submit the form.
Is that the clients who would use the 3rd party form, or site(s) that would host the form?
The HTTP-Referer will point to the form used by the user, not the user him/herself. Meanwhile, the $_SERVER['REMOTE_ADDR'] should hold the IP of the user submitting the data, while $_SERVER['REMOTE_HOST'] should hold the hostname of the same.
/Fredrik
Just a question; you said the list of IP's were of those who could/would submit the form.
Is that the clients who would use the 3rd party form, or site(s) that would host the form?
The HTTP-Referer will point to the form used by the user, not the user him/herself. Meanwhile, the $_SERVER['REMOTE_ADDR'] should hold the IP of the user submitting the data, while $_SERVER['REMOTE_HOST'] should hold the hostname of the same.
/Fredrik
Hi /Fredrik,
the list of IP's are that of the 3rd party, so thanks for the advice, really appreciated
Regards
Alan
the list of IP's are that of the 3rd party, so thanks for the advice, really appreciated
Regards
Alan
This topic is locked and no more replies can be posted.
