如何在PHP中对抗SMTP标头操纵?
我收到了一些在客户网站上处理电子邮件表单的代码。这是代码如何在PHP中对抗SMTP标头操纵?,php,email,header,smtp,Php,Email,Header,Smtp,我收到了一些在客户网站上处理电子邮件表单的代码。这是代码 <?php $not_found = (isset($_SERVER['HTTPS']) ? "https" : "http") . "://$_SERVER[HTTP_HOST]/404"; if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpReques
<?php
$not_found = (isset($_SERVER['HTTPS']) ? "https" : "http") . "://$_SERVER[HTTP_HOST]/404";
if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')) {
if($_POST && isset($_POST['emailForm'])) {
require_once 'lib/swift_required.php';
$site_url = (isset($_SERVER['HTTPS']) ? "https" : "http") . "://$_SERVER[HTTP_HOST]";
$from_email = $_POST['FromEmail'];
$first_name = $_POST['FirstName'];
$to_email = $_POST['ToEmail'];
$transport = Swift_SmtpTransport::newInstance('localhost', 25);
$mailer = Swift_Mailer::newInstance($transport);
if($_POST['emailForm'] == 'share') {
$subject = $first_name . ' wants to share some info about acne treatment';
$email_body = file_get_contents('templates/share.html');
$email_body = str_replace(
array('[BASEURL]', '[SENDER NAME]'),
array($site_url, $first_name),
$email_body
);
$message = Swift_Message::newInstance($subject)
->setFrom($from_email)
->setTo($to_email)
->setBody($email_body);
$message->addPart($email_body, 'text/html');
}
if($_POST['emailForm'] == 'ddg') {
$file_name = 'pdf/Dermatologist_Discussion_Guide.pdf';
$subject = 'Your Dermatologist Discussion Guide';
$email_body = file_get_contents('templates/ddg.html');
$email_body = str_replace(
array('[BASEURL]'),
array($site_url),
$email_body
);
$message = Swift_Message::newInstance($subject)
->setFrom($from_email)
->setTo($to_email)
->setBody($email_body);
$message->addPart($email_body, 'text/html');
$message->attach(Swift_Attachment::fromPath($file_name));
}
if($mailer->send($message)){
$success = true;
} else {
$success = false;
}
} else {
header('Location: ' . $not_found);
}
echo json_encode($success);
} else {
header('Location: ' . $not_found);
}
?>
setFrom($from_email)
->setTo($to_电子邮件)
->setBody($email\u body);
$message->addPart($email_body,'text/html');
}
如果($_POST['emailForm']=='ddg'){
$file_name='pdf/skiromictor_Discussion_Guide.pdf';
$subject='您的皮肤科医生讨论指南';
$email_body=file_get_contents('templates/ddg.html');
$email\u body=str\u replace(
数组(“[BASEURL]”),
数组($site\u url),
$email\u body
);
$message=Swift\u message::newInstance($subject)
->setFrom($from_email)
->setTo($to_电子邮件)
->setBody($email\u body);
$message->addPart($email_body,'text/html');
$message->attach(Swift_Attachment::fromPath($file_name));
}
如果($mailer->send($message)){
$success=true;
}否则{
$success=false;
}
}否则{
标题('位置:'。$未找到);
}
echo json_编码($success);
}否则{
标题('位置:'。$未找到);
}
?>
显然,它不能防止SMTP头操纵。我查看了OWASP,他们列出了如何利用此漏洞,但没有列出任何对策。有人能帮忙或链接一些资源吗?提前感谢。回答:设置SPF、DKIM和DMARC记录