Gravity Support Forums Topic: My gravity forms are easily hackable !!!

Gravity Support Forums Topic: My gravity forms are easily hackable !!! https://legacy.forums.gravityhelp.com/topic/my-gravity-forms-are-easily-hackable Gravity Support Forums Topic: My gravity forms are easily hackable !!! en-US Mon, 20 Apr 2026 04:50:34 +0000 http://bbpress.org/?v=1.0.1 <![CDATA[Search]]> q https://legacy.forums.gravityhelp.com/search.php Chris Hajer on "My gravity forms are easily hackable !!!" https://legacy.forums.gravityhelp.com/topic/my-gravity-forms-are-easily-hackable#post-141296 Mon, 04 Feb 2013 07:49:51 +0000 Chris Hajer 141296@https://legacy.forums.gravityhelp.com/ One suggestion would be to use gform_after_submission instead of gform_post_submission, as gform_post_submission has been deprecated. <a href="http://www.gravityhelp.com/documentation/page/Gform_post_submission" rel="nofollow">http://www.gravityhelp.com/documentation/page/Gform_post_submission</a> <a href="http://www.gravityhelp.com/documentation/page/Gform_after_submission" rel="nofollow">http://www.gravityhelp.com/documentation/page/Gform_after_submission</a> However, that is after the entry and the post are created, so that is still too late. You could use the gform_pre_submission_filter to check to see if the user is logged in at that time, and reject the submission at that point. Or even the gform_validation filter to return an error if the user is not logged in. <a href="http://www.gravityhelp.com/documentation/page/Gform_pre_submission_filter" rel="nofollow">http://www.gravityhelp.com/documentation/page/Gform_pre_submission_filter</a> <a href="http://www.gravityhelp.com/documentation/page/Gform_validation" rel="nofollow">http://www.gravityhelp.com/documentation/page/Gform_validation</a> I think your approach would be fine, but just done with a different hook or filter. ramey on "My gravity forms are easily hackable !!!" https://legacy.forums.gravityhelp.com/topic/my-gravity-forms-are-easily-hackable#post-140940 Mon, 04 Feb 2013 02:22:22 +0000 ramey 140940@https://legacy.forums.gravityhelp.com/ a) I have the spammer's IP blocked which address this particular situation for now. b) I have the box " Require user to be logged in (?) " checked. But I'm creating a custom form and I'm guessing I'm overriding this. I can use the WP api to require that one be logged in to see the form, but this has a few problems of it's own 1) I want users who are not logged in to be able to see the form before making any commitment. 2) I'm using he form to display the custom post created by the form. This has to be viewable by anyone. If you're really interested, you can check it out at <a href="http://www.blincubator.com" rel="nofollow">http://www.blincubator.com</a> Soooo ideally what I would like is to trap and reject any form submissions which come from anyone not logged in. Here is my code. I don't know if it really works. That is, I don't know if the rejects the post soon enough to avoid having it created. I guess I'll just have to unblock the IP address (Their still trying to spam me - I guess I should feel flattered). Any suggestions you want to make would be appreciated. <pre><code>add_action( "gform_post_submission_1", "library_submission_handler", 10, 2 ); function library_submission_handler($entry, $form) { $post_id = $entry['post_id']; //echo "entry = " . print_r($entry) . ""; if(get_post_type($post_id) != 'bi_library') return; if(! is_user_logged_in()) return; $post = get_post($post_id); $post->post_excerpt = $entry["10"]; wp_set_post_tags($post_id, $entry["32"], false); //$post->post_status = 'pending'; $post->comment_status = 'open'; wp_update_post( $post ); }</code></pre> Chris Hajer on "My gravity forms are easily hackable !!!" https://legacy.forums.gravityhelp.com/topic/my-gravity-forms-are-easily-hackable#post-140718 Sun, 03 Feb 2013 21:39:43 +0000 Chris Hajer 140718@https://legacy.forums.gravityhelp.com/ Any form on the web can be submitted without actually visiting the web page and pressing submit. If you're getting a lot of spam submissions, you can try blocking the visitor's IP block in your .htaccess file, or you can require that the visitor be logged in by checking the box on the form settings, Advanced tab, "Require user to be logged in". Does that help you? ramey on "My gravity forms are easily hackable !!!" https://legacy.forums.gravityhelp.com/topic/my-gravity-forms-are-easily-hackable#post-140665 Sun, 03 Feb 2013 20:45:59 +0000 ramey 140665@https://legacy.forums.gravityhelp.com/ All of a sudden, I started to get new form submissions every 3 min. The resulted in 100's of bogus form submissions. I tracked this down (eventually) to the following. The hacker was requestiing the page with the form along with POST data for the form. The POST data passed the gravity forms filters. That is, it contained legal but BS data - basically links to his websites. He doesn't do it by actually opening the form and pressing the submit button - but rather emulating what happens when a user presses he submit button. Soooo - where is he best place to trap this? I can require that the use be a registered user - but I don't know which hook to use? It seems that some hooks are invoked before the form is submitted. If I trap it on "post_submission" it's already too late as the post has been created? Any help appreciated. Robert Ramey