Is my CSRF and XSS security in php form correct?

@NeteroNov 03.2017

Hello i am new to php and security and i try to learn.

Can you please comment on my code if i do the XSS and CSRF correctly with ajax and is it secure enough or maybe i need to add something? please ignore the front end its just some copy paste.

Do i really need data validation checks in my mailer.php ?? because i use the html5 form validation checks.
And do i need another die(); after the mail was send(the red comment)

Also i have CSRF , do i need Google reCAPTCHA? or its CSRF or the reCAPTCHA but not both of them together?

**I know the existence of phpmailer but i don’t want to use it because i want to test/learn things with mail() function

to post a comment

PHP

10 Comments(s) _↴

@benanamenNov 04.2017 — #You want comments on code you didn't post?

@Strider64Nov 04.2017 — #You'll need Google's reCaptcha for that prevents spambots, not Cross-Site Request Forgery attacks.

I personally think it's easier to use PHPMailer (or Swiftmailer - I use) than using php's mail() function and it's more secure if you put in countermeasures yourself. Why re-invent the wheel? It's also easier to test on a local server.

@NeteroauthorNov 04.2017 — #can some one tell me why i cant post code in here?

@NeteroauthorNov 04.2017 — #https://ctrlv.cz/shots/2017/11/04/2JSE.png

@NeteroauthorNov 04.2017 — #can some mod edit my OP? and put the code?

https://ufile.io/7ev0d

@benanamenNov 04.2017 — #OP, you need to post your code IN THE FORUM using the code tags. Most of us are not going to download anything. Also, pictures are for hanging on the wall. Do not post an image of code.

@NeteroauthorNov 05.2017 — #the image is the bug from the forum not the code lol.

@NeteroauthorNov 05.2017 — #

[code=php]<?php
 session_start();
 if(empty($_SESSION['token'])){
 $_SESSION['token'] = bin2hex(random_bytes(32));
 }
 $key =$_SESSION['token'];
 ?>
 
 <!DOCTYPE html>
 <html>
 <head>
 <meta charset="UTF-8">
 <title>Website Contact Form</title>
 <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
 
 <script>
 function _(id){ return document.getElementById(id); }
 function submitForm(){
 _("submit-button").disabled = true;
 _("status").innerHTML = 'please wait ...';
 var formdata = new FormData();
 formdata.append( "name", _("name").value );
 formdata.append( "email", _("email").value );
 formdata.append( "comments", _("comments").value );
 formdata.append( "key", _("key").value );
 
  var ajax = new XMLHttpRequest();
  ajax.open( "POST", "mail.php" );
  ajax.onreadystatechange = function() {
   if(ajax.readyState == 4 && ajax.status == 200) {
   if(ajax.responseText == "success"){
   _("contact-form").innerHTML = '<h2>&#917;&#965;&#967;&#945;&#961;&#953;&#963;&#964;&#974; '+_("name").value+', &#964;&#959; &#956;&#942;&#957;&#965;&#956;&#945; &#963;&#959;&#965; &#963;&#964;&#940;&#955;&#952;&#951;&#954;&#949;</h2>';
   } else {
   _("status").innerHTML = ajax.responseText;
   _("submit-button").disabled = false;
   }
   }
  }
  ajax.send( formdata );
 
 }
 </script>
 </head>
 <body>
 
 
 <form id="contact-form" onsubmit="submitForm(); return false;" method="post">
 
   <label style="color:wheat;" for="name">&#927;&#957;&#959;&#956;&#945; *</label>
   <div class="form-group">
   <input id="name" placeholder="&#932;&#959; &#972;&#957;&#959;&#956;&#945; &#963;&#959;&#965;" type="text" class="form-control" style="width: 30%" required>
   </div>
 
   <label style="color:wheat;" for="email">Email *</label>
   <div class="input-group">
   <span class="input-group-addon"><i class="fa fa-envelope-o fa-fw"></i></span>
   <input id="email" style="width: 26%" class="form-control" type="email" placeholder="&#932;&#959; Email &#963;&#959;&#965;" required>
   </div>
 
   <label style="padding-top: 8px; color:wheat;" for="comments">&#931;&#967;&#972;&#955;&#953;&#945; *</label>
   <div class="form-group">
   <textarea id="comments" placeholder="&#915;&#961;&#940;&#968;&#949; &#956;&#945;&#962; &#941;&#957;&#945; &#956;&#942;&#957;&#965;&#956;&#945; &#956;&#949; &#964;&#965;&#967;&#972;&#957; &#949;&#961;&#969;&#964;&#942;&#963;&#949;&#953;&#962;/&#945;&#960;&#959;&#961;&#943;&#949;&#962; &#960;&#959;&#965; &#941;&#967;&#949;&#953;&#962; &#954;&#945;&#953; &#952;&#945; &#963;&#959;&#965; &#945;&#960;&#945;&#957;&#964;&#942;&#963;&#959;&#965;&#956;&#949; &#940;&#956;&#949;&#963;&#945;!" class="form-control" rows="8" style="resize:none;" required></textarea>
   </div>
 
   <div class="form-group">
   <input id="submit-button" name="submit" type="submit" value="&#913;&#960;&#959;&#963;&#964;&#959;&#955;&#942;" class="btn btn-info btn-block">
   <input type="hidden" id="key" name="key" value="<?php echo $key; ?>">
   <span id="status"></span>
   </div>
 
 </form>
 
 <div>
 <br>
 <p>
 This is some random text it stays here so you can see the AJAX magic tricks
 </p>
 </div>
 
 
 </body>
 </html>[/code]

@NeteroauthorNov 05.2017 — #bananamen can you post any code?

i tried all the forum tags php,code,html,no tags but same bug

------------------------------------------------------------------------
Something went wrong!

Sadly, you’ve reached a page that can’t be displayed.

We’ve logged this action, so we are aware there is an issue!

At this time, please hit your browser’s back button or simply close this page!

The incident ID is: 3280347660667452591.

Event id: 1621616204538397357
-------------------------------------------------------------------------

@TrainNov 05.2017 — #Just wait a bit and try again.

We do have a[b]Official : "something went wrong" - Comments page.[/b]

http://www.webdeveloper.com/forum/showthread.php?357637-Official-quot-something-went-wrong-quot-Comments

Also in #PHP _↴

javascript with php - cookies strip " " on sumbit ??? Help !!!!What languages for an ecommerce website

Success!

Help @Netero spread the word by sharing this article on Twitter...

Tweet This

about: ({
version: 0.1.9 — BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});

changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...

recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...

Is my CSRF and XSS security in php form correct?

10 Comments(s) _↴

Event id: 1621616204538397357
-------------------------------------------------------------------------

Also in #PHP _↴

Success!

Social

Version

Is my CSRF and XSS security in php form correct?

10 Comments(s) ↴

Event id: 1621616204538397357 -------------------------------------------------------------------------

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

10 Comments(s) _↴

Event id: 1621616204538397357
-------------------------------------------------------------------------

Also in #PHP _↴