关闭JavaScript后,攻击者能否绕过Ajax表单
我在我的网站上有一个表单,上面有jQuery和PHP上的所有验证,以及PHP对用户信息进行的清理。我突然想到一个问题 在关闭JavaScript的情况下,攻击者(黑客)能否绕过Ajax表单 这是HTML文件关闭JavaScript后,攻击者能否绕过Ajax表单,javascript,php,ajax,Javascript,Php,Ajax,我在我的网站上有一个表单,上面有jQuery和PHP上的所有验证,以及PHP对用户信息进行的清理。我突然想到一个问题 在关闭JavaScript的情况下,攻击者(黑客)能否绕过Ajax表单 这是HTML文件 <form action="" method="post" id="form-contact-us" enctype="multipart/form-data"> <input type="hidden" id="action" name="action" value="c
<form action="" method="post" id="form-contact-us" enctype="multipart/form-data">
<input type="hidden" id="action" name="action" value="contact">
<input type="text" class="hide" value="" name="challenge" id="challenge">
<div class="col-md-6 mt-10">
<label>Your Full Name <span class="required">*</span></label>
<input type="text" class="form-control" id="name" name="name" placeholder="Your Full Name">
</div>
<div class="col-md-6 mt-10">
<label>Your Email Address <span class="required">*</span></label>
<input type="text" class="form-control" id="email" name="email" placeholder="Your Email Address">
</div>
<div class="col-md-6 mt-10">
<label>Phone Contact</label>
<input type="text" class="form-control" id="phone" name="phone" placeholder="Phone Contact">
</div>
<div class="col-md-6 mt-10"> </div>
<div class="col-md-6 band mt-10">
<label for="firstname">Your Message <span class="required">*</span></label>
<textarea class="form-control" rows="3" id="message" name="message"></textarea>
</div>
<div class="btn-group band">
<span id="loader"></span>
<button type="submit" class="btn btn-primary pull-right" style="margin-right: 14px; border-radius: 0px;">SEND <span class="glyphicon glyphicon-chevron-right"></span></button>
</div>
</form>
你的全名*
你的电子邮件地址*
电话联系
你的信息*
发送
JavaScript
$("form#form-contact-us").on("submit", function (){
var form, challenge, name, email, phone, message;
form = $("form#form-contact-us").serialize();
challenge = $("#challenge").val();
name = $("form#form-contact-us #name").val();
email = $("form#form-contact-us #email").val();
phone = $("form#form-contact-us #phone").val();
message = $("form#form-contact-us #message").val();
challenge = $.trim(challenge);
name = $.trim(name);
email = $.trim(email);
phone = $.trim(phone);
message = $.trim(message);
$("div#msg").removeClass("alert alert-danger alert-success").html("");
if( challenge.length > 0 ){
return false;
} else if( !name || !email || !message ){
$("div#msg").fadeIn("fast").addClass("alert alert-danger").html("All the fields marked with * is required.");
} else if( !mask2.test(name) ){
$("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Your full name format is invalid.");
} else if( !mask5.test(email) ){
$("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Your email address format is invalid.");
} else if( name.length < 3 ){
$("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Your full name cannot be less then 3 letters.");
} else if( email.length < 5 ){
$("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Your email address cannot be less then 5 letters.");
} else if( phone != "" && !mask4.test(phone) || phone.length < 7 || phone.length > 11 ){
$("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Please enter your phone number.");
} else if( message.length < 5 ){
$("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Your message cannot be less then 5 letters.");
} else {
$("#form-contact-us .btn-primary ").text("Please Wait...").prop('disabled', true);
$("#form-contact-us .btn-primary").addClass("disabled");
jQuery.ajax({
type:"POST",
url: "/wp-admin/admin-ajax.php",
data: form,
success:function(data){
var data = data.split("|");
var code = $.trim(data[0]);
var msg = $.trim(data[1]);
if( code == 1 ){
$("div#msg").fadeIn("fast").addClass("alert alert-success").html(msg);
$("#form-contact-us").fadeOut("fast");
} else {
$("div#msg").fadeIn("fast").addClass("alert alert-danger").html(msg);
$("#form-contact-us .btn-primary ").text("SEND <span class=\"glyphicon glyphicon-chevron-right\"></span>").attr('disabled', true);
}
$("#form-contact-us #loader").html("");
$("#form-contact-us .btn-primary").removeClass("disabled");
}
});
}
return false;
});
$(“表单#表单联系我们”)。在(“提交”,函数(){
var表格、挑战、姓名、电子邮件、电话、消息;
form=$(“form#form contact us”).serialize();
挑战=$(“#挑战”).val();
name=$(“form#form contact us#name”).val();
email=$(“form#form contact us#email”).val();
phone=$(“form#form contact us#phone”).val();
message=$(“form#form contact us#message”).val();
挑战=$.trim(挑战);
名称=$.trim(名称);
电子邮件=$.trim(电子邮件);
电话=$.trim(电话);
message=$.trim(message);
$(“div#msg”).removeClass(“警报-危险警报-成功”).html(“”);
如果(质询长度>0){
返回false;
}如果(!name | | |!email | |!message),则为else{
$(“div#msg”).fadeIn(“fast”).addClass(“alert-alert-danger”).html(“所有标有*的字段都是必需的”);
}如果(!mask2.test(名称)){
$(“div#msg”).fadeIn(“fast”).addClass(“alert-alert-danger”).html(“您的全名格式无效”);
}否则如果(!mask5.测试(电子邮件)){
$(“div#msg”).fadeIn(“fast”).addClass(“alert-alert-danger”).html(“您的电子邮件地址格式无效”);
}else if(name.length<3){
$(“div#msg”).fadeIn(“fast”).addClass(“alert-alert-danger”).html(“您的全名不能少于3个字母”);
}否则如果(email.length<5){
$(“div#msg”).fadeIn(“fast”).addClass(“alert-alert-danger”).html(“您的电子邮件地址不能少于5个字母”);
}else if(phone!=“&&&!mask4.test(phone)| | phone.length<7 | | phone.length>11){
$(“div#msg”).fadeIn(“fast”).addClass(“alert-alert-danger”).html(“请输入您的电话号码”);
}else if(message.length<5){
$(“div#msg”).fadeIn(“fast”).addClass(“alert-alert-danger”).html(“您的消息不能少于5个字母”);
}否则{
$(“#form contact us.btn primary”).text(“请稍候…”).prop('disabled',true);
$(“#form contact us.btn primary”).addClass(“disabled”);
jQuery.ajax({
类型:“POST”,
url:“/wp admin/admin ajax.php”,
数据:表格,
成功:功能(数据){
var data=data.split(“|”);
var代码=$.trim(数据[0]);
var msg=$.trim(数据[1]);
如果(代码==1){
$(“div#msg”).fadeIn(“fast”).addClass(“警报成功”).html(msg);
美元(“#表格联系我们”)。淡出(“快速”);
}否则{
$(“div#msg”).fadeIn(“fast”).addClass(“alert-alert-danger”).html(msg);
$(“#form contact us.btn primary”).text(“SEND”).attr('disabled',true);
}
$(“#表单联系我们#加载器”).html(“”);
$(“#form contact us.btn primary”).removeClass(“disabled”);
}
});
}
返回false;
});
PHP
function contact(){
if($_SERVER["REQUEST_METHOD"] == "POST"){
if(isset($_POST["challenge"]) && trim($_POST["challenge"]) == ""){
$name = $_POST["name"];
$email = $_POST["email"];
$phone = $_POST["phone"];
$message = $_POST["message"];
$name = trim($name);
$email = trim($email);
$phone = trim($phone);
$message = trim($message);
if( empty($name) or empty($email) or empty($email) or empty($phone) or empty($message)){
die("0 | All the fields marked with * is required.");
} else if ( !preg_match('/^[a-zA-Z ]+$/', $name)){
die("0 | Your full name format is invalid.");
} else if ( strlen($name) < 3 ){
die("0 | Your full name cannot be less then 3 letters.");
} else if ( !is_email($email) ){
die("0 | Your email address format is invalid.");
} else if ( strlen($email) < 5 ){
die("0 | Your email address cannot be less then 5 letters.");
} else if ( !empty($phone) and strlen($phone) < 7 or strlen($phone) > 11 ){
die("0 | Please enter your phone number.");
} else if ( strlen($message) < 5 ){
die("0 | Your message cannot be less then 5 letters.");
} else if ( check_for_spam($name) > 0 ){
die("0 | Please remove any links from your full name.");
} else if ( check_for_spam($phone) > 0 ){
die("0 | Please remove any links from What would you like to know phones.");
} else if ( check_for_spam($message) > 0 ){
die("0 | Please remove any links from your message.");
} else {
$name = sanitize_text_field($name);
$email = sanitize_text_field($email);
$phone = sanitize_text_field($phone);
$message = sanitize_text_field($message);
$name = remove_html($name);
$email = remove_html($email);
$phone = remove_html($phone);
$message = remove_html($message);
$name = esc_html($name);
$email = esc_html($email);
$phone = esc_html($phone);
$message = esc_html($message);
/* All Good */
}
}
}
}
功能联系人(){
如果($\服务器[“请求\方法”]=“发布”){
如果(设置($_POST[“challenge”])和修剪($_POST[“challenge”])==“”){
$name=$_POST[“name”];
$email=$_POST[“email”];
$phone=$_POST[“phone”];
$message=$_POST[“message”];
$name=trim($name);
$email=trim($email);
$phone=trim($phone);
$message=trim($message);
如果(空($name)或空($email)或空($email)或空($phone)或空($message)){
die(“0 |所有标有*的字段都是必填项”);
}else如果(!preg_match('/^[a-zA-Z]+$/',$name)){
die(“0 |您的全名格式无效。”);
}else if(strlen($name)<3){
死(“0 |您的全名不能少于3个字母。”);
}如果(!is_email($email)){
死亡(“0 |您的电子邮件地址格式无效。”);
}其他如果(strlen($email)<5){
死亡(“0 |您的电子邮件地址不能少于5个字母。”);
}否则如果(!empty($phone)和strlen($phone)<7或strlen($phone)>11){
死亡(“0 |请输入您的电话号码”);
}else if(strlen($message)<5){
死亡(“0 |您的邮件不能少于5个字母。”);
}否则如果(检查垃圾邮件($name)>0){
die(“0 |请删除您全名中的任何链接。”);
}否则如果(检查垃圾邮件($phone)>0){
die(“0 |请删除您想了解的电话中的任何链接。”);
}否则如果(检查垃圾邮件($message)>0){
die(“0 |请从您的邮件中删除任何链接。”);
}否则{
$name=sanitize\u text\u字段($name);
$email=sanitize\u text\u字段($email);
$phone=sanitize\u text\u字段($phone);
$message=清理文本字段($message);
$name=删除html($name);
$email=删除html($email);
$phone=remove_html($phone);
$message=删除html($message);
$name=esc_html($name);
$email=esc_html($email);
$phone=esc_html($phone);
$message=esc_html($message);
/*一切都好*/
}
}
}
}
攻击者无需使用您提供的HTML即可发送表单。
在您的情况下,您的表单使用POST方法
POST /code.php
action => contact
challenge =>
name => a_name
email => an_email
phone => a_phone
message => a_message
如果挑战是se