PHP sécurisé E-mails
Il ya une faiblesse dans le PHP e-mail de script dans le chapitre précédent.
PHP E-mail injections
Tout d'abord, regardez le code PHP à partir du chapitre précédent:
<html>
<body>
<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
</body>
</html>
<body>
<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
</body>
</html>
Le problème avec le code ci-dessus est que les utilisateurs non autorisés ne peuvent insérer des données dans les en-têtes de courrier via le formulaire de saisie.
Qu'advient-il si l'utilisateur ajoute le texte ci-dessous pour le champ de saisie électronique dans le formulaire?
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com
La fonction mail () met le texte ci-dessus dans les en-têtes de courrier comme d'habitude, et maintenant l'en-tête a une Cc supplémentaire:, Cci:, et champ A:. Lorsque l'utilisateur clique sur le bouton submit, l'e-mail sera envoyé à toutes les adresses ci-dessus!
PHP arrêt E-mail injections
Le meilleur moyen d'arrêter les injections e-mail est de valider l'entrée.
Le code ci-dessous est le même que dans le chapitre précédent, mais maintenant nous avons ajouté un validateur d'entrée qui vérifie le champ email sous la forme:
<html>
<body>
<?php
function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}
if (isset($_REQUEST['email']))
{//if "email" is filled out, proceed
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
else
{//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
}
else
{//if "email" is not filled out, display the form
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
</body>
</html>
<body>
<?php
function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}
if (isset($_REQUEST['email']))
{//if "email" is filled out, proceed
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
else
{//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
}
else
{//if "email" is not filled out, display the form
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
</body>
</html>
Dans le code ci-dessus, nous utilisons des filtres PHP pour valider l'entrée:
- Le filtre FILTER_SANITIZE_EMAIL supprime tous les clandestins e-mail caractères d'une chaîne
- Le filtre FILTER_VALIDATE_EMAIL valide valeur d'une adresse e-mail
Vous pouvez lire plus sur les filtres de notre filtre PHP chapitre.
I've learn several excellent stuff here. Certainly price bookmarking for revisiting. I wonder how so much attempt you set to create this type of great informative website.
ReplyDeletecleaning hardwood floors
my homepage: engineered hardwood floors
My site > hardwood floors installation
This information is priceless. When can I find out more?
ReplyDeleteFeel free to visit my web-site :: hardwood flooring
Greate post. Keep posting such kind of information on your site.
ReplyDeleteIm really impressed by your blog.
Hi there, You've performed a fantastic job. I'll certainly digg it and in my
opinion suggest to my friends. I am confident they will be benefited from this web
site.
Take a look at my web blog; affordable hardwood flooring
Excellent items from you, man. I have be mindful your stuff
ReplyDeleteprior to and you are simply extremely excellent.
I really like what you've bought here, really like what you are stating and the best way during which you are saying it. You are making it entertaining and you continue to care for to stay it wise. I can not wait to learn far more from you. That is actually a tremendous website.
penn state
Feel free to surf to my website tonik plan