I have a problem with SESSIONs in wordpress. I have looked around but could not find any answer. A similar question has been asked in another post on stackaoverflow, but no answer yet. I have followed this tutorial to build my own FORM:build your own wordpress contact form in 5 minutes.
To make my form more secure, I decided to generate a session string, and store this string in a SESSION global array (to prevent form hijacking). I send this same string as hidden field when the form is posted. And than I compare this 2 values. However, it seems to me that when the form is submitted, the SESSION is not the same as the one i stored in the SESSION array before submission.
function myfunction() {
ob_start();
$errors = array();
//deliver_mail();
if(isset( $_POST['cf-submitted'] ) ) {
if( $_POST['formtoken1'] !== $_SESSION['formtoken1'] ) {
$errors['token'] = '<div>The form submited is not valid.</div>';
//debug
echo $_SESSION['formtoken1'];//At this point, SESSION[formtoken1] should be same as the one we generated before FORM submit, but it is not!
}
if(empty($errors)) {
//No Errors! Send Email
}
}
$_SESSION['formtoken1'] = md5(uniqid(rand(), true));
$_SESSION['formtoken1'] = htmlspecialchars($_SESSION['formtoken1']);
echo '<form action="' . esc_url( $_SERVER['REQUEST_URI'] ) . '" method="post">';
echo '<input type="text" name="formtoken1" id="formtoken1" value="'. (isset($_SESSION['formtoken1']) ? $_SESSION['formtoken1'] : '') . '" />';
echo '<p><input type="submit" name="cf-submitted" value="Send"></p>';
echo '</form>';
return ob_get_clean();
}
add_shortcode( 'my_contact_form', 'myfunction' );//Create shortcode
When this form is submitted, it always creates error because SESSION variable is not same as the POST variable. When I test this same code outside wordpress on my local xampp server, it works. I will be greatful if anyone can help me. I have also tried session_start() at top of script, but still the same problem.
After some trials, I realized that the post title was displaying on top of the page. I was starting ob_start() inside myfunction(). So, title was outputting before SESSION was started. I changed the code as below, and it works for now. The only problem with this solution is that wordpress is calling ob_start() at every page load. it would be better if it worked inside the myfunction() because it would mean ob_start() is executed only when the short-code is called within a post. `
//Plugin Name: test form
ob_start(); //put this outside the myfunction()
if(!session_id() ) {
session_start();
}
function myfunction() {
$errors = array();
//deliver_mail();
if(isset( $_POST['cf-submitted'] ) ) {
if( $_POST['formtoken1'] !== $_SESSION['formtoken1'] ) {
$errors['token'] = '<div>The form submited is not valid.</div>';
//debug
echo $_SESSION['formtoken1'];//At this point, SESSION[formtoken1] should be same as the one we generated before FORM submit, but it is not!
}
if(empty($errors)) {
//No Errors! Send Email
}
}
$_SESSION['formtoken1'] = md5(uniqid(rand(), true));
$_SESSION['formtoken1'] = htmlspecialchars($_SESSION['formtoken1']);
echo '<form action="' . esc_url( $_SERVER['REQUEST_URI'] ) . '" method="post">';
echo '<input type="text" name="formtoken1" id="formtoken1" value="'. (isset($_SESSION['formtoken1']) ? $_SESSION['formtoken1'] : '') . '" />';
echo '<p><input type="submit" name="cf-submitted" value="Send"></p>';
echo '</form>';
return ob_get_clean();
}
add_shortcode( 'my_contact_form', 'myfunction' );//Create shortcode`