如何保护此PHP邮件不被注入?
所以我是前端开发人员。我不懂PHP。在一个客户端的网页上工作时,我偶然发现了这个简单的PHP邮件程序,我可以理解并实现它,但它似乎不安全 我想要一些建议。是否可以保护此脚本?如何保护?或者我应该寻找另一个Mailer脚本,如果是的话,有人能建议一个更好的替代方案吗 提前谢谢如何保护此PHP邮件不被注入?,php,email,Php,Email,所以我是前端开发人员。我不懂PHP。在一个客户端的网页上工作时,我偶然发现了这个简单的PHP邮件程序,我可以理解并实现它,但它似乎不安全 我想要一些建议。是否可以保护此脚本?如何保护?或者我应该寻找另一个Mailer脚本,如果是的话,有人能建议一个更好的替代方案吗 提前谢谢 <?php // Contact $to = 'hello@xyz.com'; $subject = 'Mail from XYZ.com'; if(isset($_POST['c_name']) &&am
<?php
// Contact
$to = 'hello@xyz.com';
$subject = 'Mail from XYZ.com';
if(isset($_POST['c_name']) && isset($_POST['c_email']) && isset($_POST['c_message'])){
$name = $_POST['c_name'];
$from = $_POST['c_email'];
$message = $_POST['c_message'];
if (mail($to, $subject, $message, $from)) {
$result = array(
'message' => 'Thanks for contacting us!',
'sendstatus' => 1
);
echo json_encode($result);
} else {
$result = array(
'message' => 'Sorry, something is wrong',
'sendstatus' => 1
);
echo json_encode($result);
}
}
验证$from
地址以确保它只是一个电子邮件地址,例如:
改变
if (mail($to, $subject, $message, $from)) {
致:
这是一个快速而肮脏的解决办法。如果您不懂任何PHP,请雇佣一名称职的PHP程序员来正确地解决这个问题,这可能会很有帮助。您可以使用共享脚本,只需通过谷歌搜索就可以了解更多关于PHP电子邮件头注入的信息。
<?php
// Contact
$to = 'hello@xyz.com';
$subject = 'Mail from XYZ.com';
// split POST array as PHP var
extract( $_POST );
// check if var set
if( isset( $c_name ) && isset( $c_email ) && isset( $c_message ) ) {
// validate valid email format
$email = filter_var( $c_email, FILTER_VALIDATE_EMAIL );
// if email is alien :) kill them
if( $email === FALSE ) {
echo 'Invalid email id...';
exit( 1 );
}
// else email is angel :) go ahead
else {
$name = $c_name;
$from = $c_email;
/**
* According to the documentation for mail(),
* when it's talking directly to an SMTP server,
* you will need to prevent full stops in the message body:
* @var [type]
*/
$message = str_replace( "\n.", "\n..", $c_message );
/**
* Preventing Header Injections
*
* Preventing such attacks is as simple as
* replacing the following characters, \r, %0D, \n, %0A and stripping the slashes.
* Apparently, it's also possible to inject via the subject,
* as well, but since there is no FILTER_VALIDATE_EMAIL_SUBJECT,
* you'll need to do the filtering yourself:
* @var [type]
*/
$subject = str_ireplace( array("\r", "\n", '%0A', '%0D') , '', stripslashes($subject) );
if( mail( $to, $subject, $message, $from ) ) {
$result = array(
'message' => 'Thanks for contacting us!',
'sendstatus' => 1
);
echo json_encode( $result );
}
else {
$result = array(
'message' => 'Sorry, something is wrong',
'sendstatus' => 1
);
echo json_encode( $result );
}
}
}
?>
你所说的“PHP注入”到底是什么意思?嗨,巴特,我把它放在一个测试服务器上,几天之内,有人从这个id发送了恶意邮件。我的主机提供商告诉我要保护脚本。因此我在这里。这个网站:解释它。
<?php
// Contact
$to = 'hello@xyz.com';
$subject = 'Mail from XYZ.com';
// split POST array as PHP var
extract( $_POST );
// check if var set
if( isset( $c_name ) && isset( $c_email ) && isset( $c_message ) ) {
// validate valid email format
$email = filter_var( $c_email, FILTER_VALIDATE_EMAIL );
// if email is alien :) kill them
if( $email === FALSE ) {
echo 'Invalid email id...';
exit( 1 );
}
// else email is angel :) go ahead
else {
$name = $c_name;
$from = $c_email;
/**
* According to the documentation for mail(),
* when it's talking directly to an SMTP server,
* you will need to prevent full stops in the message body:
* @var [type]
*/
$message = str_replace( "\n.", "\n..", $c_message );
/**
* Preventing Header Injections
*
* Preventing such attacks is as simple as
* replacing the following characters, \r, %0D, \n, %0A and stripping the slashes.
* Apparently, it's also possible to inject via the subject,
* as well, but since there is no FILTER_VALIDATE_EMAIL_SUBJECT,
* you'll need to do the filtering yourself:
* @var [type]
*/
$subject = str_ireplace( array("\r", "\n", '%0A', '%0D') , '', stripslashes($subject) );
if( mail( $to, $subject, $message, $from ) ) {
$result = array(
'message' => 'Thanks for contacting us!',
'sendstatus' => 1
);
echo json_encode( $result );
}
else {
$result = array(
'message' => 'Sorry, something is wrong',
'sendstatus' => 1
);
echo json_encode( $result );
}
}
}
?>