JugglingBob JugglingBob - 3 months ago 10
HTML Question

Hide '<input type="hidden" name="userIP" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">' from inspect element

I have this HTML and PHP contact form:

<?php

$valid = true;
$errors = array();
$contact = array(
'name' => null,
'email' => null,
'message' => null
);

// Check if the form has been posted
if (isset($_POST['name'], $_POST['email'], $_POST['message'])) {
$contact = filter_input_array(INPUT_POST, array(
'name' => FILTER_SANITIZE_STRING,
'email' => FILTER_SANITIZE_STRING,
'message' => FILTER_SANITIZE_STRING,
), true);
if (empty($_POST['name'])) {
$valid = false;
$errors['name'] = "You must enter your name.";
}
if (empty($_POST['email'])) {
$valid = false;
$errors['email'] = "You must enter your email address.";
} elseif (!filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) {
$valid = false;
$errors['email'] = "You must enter a valid email address.";
}
if (empty($_POST['message'])) {
$valid = false;
$errors['message'] = "You must enter a message and/or subject.";
}
if ($valid) {
// The email address the email will be sent to
$to = "email@outlook.com";
// The email subject
$subject = $_POST['subject'];
// Set the from and reply-to address for the email
$headers = "From: ".$_POST['email'];
"X-Mailer: PHP/" . phpversion();
// Build the body of the email
$mailbody = "The contact form has been filled out.\n\n"
. "Name: " . $_POST['name'] . "\n"
. "Email: " . $_POST['email'] . "\n"
. "Message:\n" . $_POST['message'] . "\n"
. "IP: " . $_POST['userIP'];
// Send the email
mail($to, $subject, $mailbody, $headers);
// Go to the thank you page
header("location: contact.php");
exit;
}
}
?>

<div id="contactform">
<input type="text" class="field_a" name="name" value="<?php echo htmlspecialchars($contact['name']);?>" placeholder="Enter your name here">
<br>
<br>
<input class="field_a" name="email" type="email" value="<?php echo htmlspecialchars($contact['email']);?>" placeholder="And your email is?">
<br>
<br>
<input class="field_a" name="subject" type="text" value="<?php echo htmlspecialchars($contact['subject']);?>" placeholder="We need to know what your message is about">
<br>
<br>
<textarea class="field_b" name="message" rows="10" cols="25" placeholder="Finally, the message.."><?php echo htmlspecialchars($contact['message']);?></textarea>
<br>
<br>
<input class="field_c" style="width:830px;" name="send_mail" type="submit" value="Ready to send your message to All Things Roblox? Click me!">
<input type="hidden" name="userIP" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">
</div>
</form>


I use the code
<input type="hidden" name="userIP" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">
to grab the users IP address, but they can easily prevent this by using inspect element to that piece of code.

How would I prevent
<input type="hidden" name="userIP" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">
from showing?

Thanks again!

Lal Lal
Answer

Never pass these kind of valuable informations through the client side. Instead do it in server side itself. In server side, you can post your valuable data to other pages and receive it there.

In this case you can directly get the ip address using <?php echo $_SERVER['REMOTE_ADDR']; ?> in server side (PHP) itself. No need to pass it through HTML.

UPDATE

Here in your PHP code, instead of doing

$mailbody = "The contact form has been filled out.\n\n"
. "Name: " . $_POST['name'] . "\n"
. "Email: " . $_POST['email'] . "\n"
. "Message:\n" . $_POST['message'] . "\n"
. "IP: " . $_POST['userIP'];

like this, you can directly call

$mailbody = "The contact form has been filled out.\n\n"
. "Name: " . $_POST['name'] . "\n"
. "Email: " . $_POST['email'] . "\n"
. "Message:\n" . $_POST['message'] . "\n"
. "IP: " . $_SERVER['REMOTE_ADDR'];

And thus you can eliminate the need of a hidden field.