striker/sag24-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: contact.php — move secrets to include file, HTML email

Browse Source 
- Replace hardcoded BOT_TOKEN, CHAT_ID, TURNSTILE_SECRET, smtp_pass
  with require_once from /opt/www/sag24.ru/contact-config.php (outside webroot)
- Convert email from plain text to HTML (text/html Content-Type)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
striker
2026-03-21 21:09:30 +03:00
parent b9d3ac011e
commit 4e33aebe55
1 changed files with 26 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
public/api/contact.php
View File

@@ -4,6 +4,18 @@ header('Access-Control-Allow-Origin: https://sag24.ru');
header('Access-Control-Allow-Methods: POST'); header('Access-Control-Allow-Methods: POST');
header('Access-Control-Allow-Headers: Content-Type'); header('Access-Control-Allow-Headers: Content-Type');
// Load secrets from outside webroot (not in git)
$configFile = dirname(__DIR__, 2) . '/contact-config.php';
if (file_exists($configFile)) {
require_once $configFile;
} else {
// Fallback values for local development (override via contact-config.php on server)
$BOT_TOKEN = getenv('TELEGRAM_BOT_TOKEN') ?: '';
$CHAT_ID = getenv('TELEGRAM_CHAT_ID') ?: '';
$TURNSTILE_SECRET = getenv('TURNSTILE_SECRET_KEY') ?: '';
$smtp_pass = getenv('SMTP_PASS') ?: '';
}
if ($_SERVER['REQUEST_METHOD'] !== 'POST') { if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
http_response_code(405); http_response_code(405);
echo json_encode(['error' => 'Method not allowed']); echo json_encode(['error' => 'Method not allowed']);
@@ -62,7 +74,6 @@ if (mb_strlen($phone) > 30) { http_response_code(400); echo json_encode(['error
if (mb_strlen($message) > 5000) { http_response_code(400); echo json_encode(['error' => 'Message too long']); exit; } if (mb_strlen($message) > 5000) { http_response_code(400); echo json_encode(['error' => 'Message too long']); exit; }
// ─── Cloudflare Turnstile verification ─────────────────────────────────────── // ─── Cloudflare Turnstile verification ───────────────────────────────────────
$TURNSTILE_SECRET = '0x4AAAAAACrQSySNBa2C2FWQq2ty1_UyLhc';
if ($TURNSTILE_SECRET) { if ($TURNSTILE_SECRET) {
if (!$turnstileToken) { if (!$turnstileToken) {
http_response_code(400); http_response_code(400);
@@ -86,8 +97,6 @@ if ($TURNSTILE_SECRET) {
} }
// ─── Telegram (best-effort, not fatal) ─────────────────────────────────────── // ─── Telegram (best-effort, not fatal) ───────────────────────────────────────
$BOT_TOKEN = '8138813013:AAElH2L5NspRLSdiFjDz6Qf32n4G24P_cj8';
$CHAT_ID = '-5230603582';
$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? 'unknown'; $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? 'unknown';
$referer = $_SERVER['HTTP_REFERER'] ?? ''; $referer = $_SERVER['HTTP_REFERER'] ?? '';
@@ -120,18 +129,19 @@ curl_close($ch);
$smtp_host = 'mx.hhivp.com'; $smtp_host = 'mx.hhivp.com';
$smtp_port = 587; $smtp_port = 587;
$smtp_user = 'noreply@sag24.ru'; $smtp_user = 'noreply@sag24.ru';
$smtp_pass = '9hsnDyBAk5&S4#lE';
$mail_to = 'info@sag24.ru'; $mail_to = 'info@sag24.ru';
$subject = "=?UTF-8?B?" . base64_encode("Заявка с sag24.ru от {$name}") . "?="; $subj_enc = "=?UTF-8?B?" . base64_encode("Заявка с sag24.ru от {$name}") . "?=";
$body = "Имя: {$name}\r\n"; $html_body = "<h2>Заявка с sag24.ru</h2>";
if ($company) $body .= "Компания: {$company}\r\n"; $html_body .= "<p><strong>Имя:</strong> {$name}</p>";
if ($email) $body .= "Email: {$email}\r\n"; if ($company) $html_body .= "<p><strong>Компания:</strong> {$company}</p>";
if ($phone) $body .= "Телефон: {$phone}\r\n"; if ($email) $html_body .= "<p><strong>Email:</strong> <a href=\"mailto:{$email}\">{$email}</a></p>";
$body .= "\r\nСообщение:\r\n{$message}\r\n"; if ($phone) $html_body .= "<p><strong>Телефон:</strong> {$phone}</p>";
$body .= "\r\nIP: {$ip}"; $msg_html = nl2br($message);
if ($country) $body .= " | Страна: {$country}"; $html_body .= "<p><strong>Сообщение:</strong><br>{$msg_html}</p>";
$body .= "\r\n" . date('d.m.Y H:i', time() + 3 * 3600) . " MSK"; $html_body .= "<hr><p><small>IP: {$ip}";
if ($country) $html_body .= " | Страна: {$country}";
$html_body .= " | " . date('d.m.Y H:i', time() + 3 * 3600) . " MSK</small></p>";
try { try {
$smtp = fsockopen($smtp_host, $smtp_port, $errno, $errstr, 10); $smtp = fsockopen($smtp_host, $smtp_port, $errno, $errstr, 10);
@@ -149,9 +159,9 @@ try {
fwrite($smtp, "MAIL FROM:<{$smtp_user}>\r\n"); fgets($smtp, 512); fwrite($smtp, "MAIL FROM:<{$smtp_user}>\r\n"); fgets($smtp, 512);
fwrite($smtp, "RCPT TO:<{$mail_to}>\r\n"); fgets($smtp, 512); fwrite($smtp, "RCPT TO:<{$mail_to}>\r\n"); fgets($smtp, 512);
fwrite($smtp, "DATA\r\n"); fgets($smtp, 512); fwrite($smtp, "DATA\r\n"); fgets($smtp, 512);
fwrite($smtp, "From: noreply@sag24.ru\r\nTo: {$mail_to}\r\nSubject: {$subject}\r\n"); fwrite($smtp, "From: noreply@sag24.ru\r\nTo: {$mail_to}\r\nSubject: {$subj_enc}\r\n");
fwrite($smtp, "MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n"); fwrite($smtp, "MIME-Version: 1.0\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n");
fwrite($smtp, $body . "\r\n.\r\n"); fgets($smtp, 512); fwrite($smtp, $html_body . "\r\n.\r\n"); fgets($smtp, 512);
fwrite($smtp, "QUIT\r\n"); fwrite($smtp, "QUIT\r\n");
fclose($smtp); fclose($smtp);
} }