<?php// This script is used for both debugging WP post requests by being set a

1. <?php
2. // This script is used for both debugging WP post requests by being set as the auto_prepend file
3. // Keep in mind this gets called before EVERY php script that gets run, not only from web sites,
4. // but from command line as well, so you need to make sure values exist before just using them.
5.  
6. // Note, this directory needs to be world writeable so any of the sites can write to it
7. // So best to be out of web root of any site.
8. $log_files_to = '/path/to/prepend_script/logs/';
9.  
10. $ip_address   = array_key_exists( 'REMOTE_ADDR', $_SERVER ) ? $_SERVER['REMOTE_ADDR'] : 'CLI';
11. $http_host    = array_key_exists( 'HTTP_HOST', $_SERVER ) ? $_SERVER['HTTP_HOST'] : 'CLI';
12. $request_type = array_key_exists( 'REQUEST_METHOD', $_SERVER ) ? $_SERVER['REQUEST_METHOD'] : 'CLI';
13. $call_to      = array_key_exists( 'REQUEST_URI', $_SERVER ) ? $_SERVER['REQUEST_URI'] : $_SERVER['SCRIPT_NAME'];
14. $post         = [];
15.  
16. if ( $request_type == 'POST' &&
17.      in_array( $http_host, [
18.          'www.domain.com',
19.          'domain.com'
20.      ] ) && count( $_POST ) > 0 ) {
21.  
22.     // List of Post Keys that should NOT be logged, instead we just log how
23.     // many characters are in the string for that value.
24.     $keySkip = [
25.         'password',
26.         'pwd',
27.         'creditcard',
28.         'cardnumber'
29.     ];
30.  
31.     foreach ( $_POST as $key => $val ) {
32.         if ( in_array( $key, $keySkip ) ) {
33.             $post[ $key ] = 'HIDDEN (' . strlen( $val ) . ' length)';
34.         } else {
35.             $post[ $key ] = $val;
36.         }
37.     }
38.     unset( $keySkip, $key, $val );
39.  
40.     if ( ! file_exists( $log_files_to . $http_host ) ) {
41.         mkdir( $log_files_to . $http_host );
42.     }
43.     $fp = fopen( $log_files_to . $http_host . '/' .
44.                  date( 'Y-m-d H:i', time() - time() % ( 15 * 60 ) ) . '.log', 'a' );
45.     fwrite( $fp, "===================================================\n" );
46.     fwrite( $fp, date( 'Y-m-d @ H:i:s ' ) . " FROM: $ip_address VIA $request_type \n" );
47.     fwrite( $fp, "TO: $call_to \n" );
48.     fwrite( $fp, 'POST: ' . var_export( $post, true ) . "\n" );
49.     fwrite( $fp, 'COOKIE: ' . var_export( $_COOKIE, true ) . "\n" );
50.     fclose( $fp );
51. }
52.  
53. // If you find you just want to shut down certain requests to keep WP from even firing,
54. // You can use this block to give out just a plain Apache style 404 error message
55. // you could probably do some other, but I like doing a 404, as then hopefully bot will think
56. // the file isn't there anymore instead of a message saying "it is here, you are not allowed"
57.  
58. if ( $some_condition == $something_that_you_want_to_just_kill_request ) {
59.     header( 'HTTP/1.0 404 Not Found' );
60.     echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">', PHP_EOL;
61.     echo '<html lang="en"><head><title>404 Not Found</title></head>', PHP_EOL;
62.     echo '<body>', PHP_EOL, '<h1>Not Found</h1>', PHP_EOL;
63.     echo '<p>The requested URL ', htmlspecialchars( $_SERVER['SCRIPT_URL'] ), ' was not found on this server.</p>', PHP_EOL;
64.     echo '<!-- Reason -->', PHP_EOL, '</body></html>', PHP_EOL;
65.     exit;
66. }
67.  
68. // Don't forget to unset any global scope vars here...
69. unset(
70.     $log_files_to,
71.     $ip_address,
72.     $http_host,
73.     $request_type,
74.     $call_to,
75.     $post
76. );