133 lines
4.3 KiB
PHP
133 lines
4.3 KiB
PHP
<?php
|
|
session_start();
|
|
|
|
function sanitize_text(string $name, string $type) {
|
|
$filters = array(
|
|
'text' => FILTER_SANITIZE_SPECIAL_CHARS,
|
|
'email' => FILTER_SANITIZE_EMAIL,
|
|
);
|
|
$text = trim($text);
|
|
$text = filter_var($_POST[$name], $filters[$type]);
|
|
$text = stripslashes($text);
|
|
|
|
return $text;
|
|
}
|
|
|
|
function prepare_message_body($message) {
|
|
// Replace HTML-Entities with actual carriage returns and line feeds
|
|
$message = str_replace(" ", "\r", $message);
|
|
$message = str_replace(" ", "\r", $message);
|
|
|
|
// Ensure line breaks via carriage return + line feed
|
|
$message = str_replace("\r\n", "\n", $message);
|
|
$message = str_replace("\n", "\r\n", $message);
|
|
|
|
$message = "Nachricht von: $name\r\n\r\n" . $message;
|
|
$message = base64_encode($message);
|
|
|
|
return $message;
|
|
}
|
|
|
|
/**
|
|
* Sending email
|
|
*
|
|
* mail(): Braucht auf dem Server einen korrekt konfigurierten Mailserver
|
|
* phpmailer: Bibliothek, der per Composer installiert wird. Tut ganz gut mit SMTP.
|
|
*/
|
|
function send_message_to_office($subject, $message, $name, $email) {
|
|
return mail(
|
|
getenv('WTF_CONTACT_TO'),
|
|
"=?UTF-8?B?" . base64_encode($subject) . "?=",
|
|
prepare_message_body($message),
|
|
$additional_headers = array(
|
|
"From" => getenv('WTF_CONTACT_FROM'),
|
|
"Reply-To" => $email,
|
|
"Return-Path" => getenv('WTF_RETURN_PATH'),
|
|
"Content-Type" => "text/plain; charset=utf-8",
|
|
"Content-Transfer-Encoding" => "base64",
|
|
),
|
|
);
|
|
}
|
|
|
|
function send_response($response_data) {
|
|
$json = json_encode($response_data);
|
|
if ($json === false) {
|
|
// Avoid echo of empty string (which is invalid JSON), and
|
|
// JSONify the error message instead:
|
|
$json = json_encode(["jsonError" => json_last_error_msg()]);
|
|
if ($json === false) {
|
|
// This should not happen, but …
|
|
$json = '{"jsonError":"unknown"}';
|
|
}
|
|
// Set HTTP response status code to: 500 - Internal Server Error
|
|
http_response_code(500);
|
|
}
|
|
header('Content-type: application/json');
|
|
echo $json;
|
|
}
|
|
|
|
function prepare_response() {
|
|
$response = array();
|
|
|
|
if (empty($_POST['message'])) {
|
|
$response['errors'][] = 'Sieh haben keine Nachricht eingegeben.';
|
|
}
|
|
if (empty($_POST['email'])) {
|
|
$response['errors'][] = 'Sie haben keine E-Mail-Adresse eingegeben.';
|
|
}
|
|
if (empty($_POST['name'])) {
|
|
$response['errors'][] = 'Sie haben keinen Namen eingegeben.';
|
|
}
|
|
if (empty($_POST['subject'])) {
|
|
$response['errors'][] = 'Sie haben keinen Betreff eingegeben.';
|
|
}
|
|
/**
|
|
* Idee zur Bot-Erkennung:
|
|
* 1. Ein Bot hat das Pseudocaptcha entweder leer abgeschickt, oder sich selbst etwas ausgedacht.
|
|
* 2. Ein Bot schickt die Daten in unter 5s ab.
|
|
* 3. Ein Mensch braucht nicht länger als 60min.
|
|
*/
|
|
if (
|
|
$_POST['captcha'] != 'Nudelsuppe' or
|
|
time() - $_SESSION['start_time'] < 5 or
|
|
time() - $_SESSION['start_time'] > 3600
|
|
) {
|
|
$response['errors'][] = 'Wir glauben Sie sind ein Bot.';
|
|
}
|
|
if (!array_key_exists('errors', $response)) {
|
|
$subject = sanitize_text('subject', 'text');
|
|
$message = sanitize_text('message', 'text');
|
|
$name = sanitize_text('name', 'text');
|
|
$email = sanitize_text('email', 'email');
|
|
|
|
if (!send_message_to_office($subject, $message, $name, $email)) {
|
|
$response['errors'][] = 'Ihre Nachricht konnte nicht übermittelt werden.';
|
|
} else {
|
|
$response['status'] = 'ok';
|
|
}
|
|
}
|
|
return $response;
|
|
}
|
|
|
|
if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
|
$response = array();
|
|
|
|
if (empty($_POST['action'])){
|
|
$response['errors'][] = 'Kann eigentlich nicht passieren :/';
|
|
} else {
|
|
if ($_POST['action'] == 'start_session') {
|
|
$_SESSION['start_time'] = time();
|
|
// $response['session_start_time'] = $_SESSION['start_time'];
|
|
// $response['session_id_before'] = session_id();
|
|
} elseif ($_POST['action'] == 'handle_form') {
|
|
$response = prepare_response();
|
|
session_destroy();
|
|
} else {
|
|
$response['errors'][] = 'Kann eigentlich auch nicht passieren :/';
|
|
}
|
|
}
|
|
send_response($response);
|
|
} else {
|
|
http_response_code(404);
|
|
}
|