When I added the recaptcha it triggers an error because the recaptcha is not whitelisted.
I read that HTML5 does not allow assigning the name attribute to div. i.e. <div name="myName"></div>.
Against convention, I tried adding a name to the recaptcha div and adding that name to the whitelist. That approach failed.
There is an iframe within the div that has the name attribute. I tried using the iframe name in the whitelist. That approach also failed.
There is a hidden input that has an id="recaptcha-token". I added 'recaptcha-token' to the whitelist. This approach also failed.
The hidden input is generated by the recaptcha api, so I don't think I have a means of assigning a name attribute to this input.
Does anyone have a workaround or suggestion ?
Note: form validation and whitelist all worked as expected prior to adding recaptcha.
This is the div within the form.
Code: Select all
<div class="row">
<div class="col-md-12">
<div class="g-recaptcha" data-sitekey="<?php print $public_key;?>"></div>
</div>
</div>
Here are the code blocks:
Code: Select all
function verifyFormToken($form) {
if(!isset($_SESSION[$form.'_token'])) {
$errors[]= "Session not set and no token";
return false;
}else{
//echo 'Session token is set.'.'</br>';
}
if(!isset($_POST['token'])) {
$errors[]= 'No form token was sent!'.'</br>';
return false;
}
if ($_SESSION[$form.'_token'] !== $_POST['token']) {
$errors[]= 'tokens don\'t match!'.'</br>';
return false;
die();
}else{
//echo 'Tokens match. Good to go.'.'</br>';
return true;
}
}
// VERIFY LEGITIMACY OF TOKEN
if (verifyFormToken('form1')) {
// Building a whitelist array with keys which will send through the form, no others would be accepted later on
$whitelist = array('token','req-fName','req-lName','req-email','req-phone','req-address','req-city','req- state','req-zip','req-message','req_method','req-dateDepart','req-dateReturn','recaptcha-token','submit');
// Building an array with the $_POST-superglobal
foreach ($_POST as $key=>$item) {
// Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
if (!in_array($key, $whitelist)) {
writeLog('Unknown form fields');
//die('Hack-Attempt detected. Only the fields originally included in the form are allowed!');
echo "Hack-Attempt detected.";
}
}
}
Thanks in advance for having a look at this.