验证和PHP的问题

时间:2014-01-27 21:51:00

标签: php forms validation

我希望有人可以帮助我使用这个PHP脚本。它完美地发送电子邮件,虽然验证不起作用。此脚本在发送时也不会从电子邮件中删除HTML标记。这让我担心我的sanitizeString函数无法正常工作并且对xss开放。我的用户组将不支持Java ...因此尝试使用PHP。

这是PHP代码:

<?php

//Strip Tags and white Space from all input with this function
function sanitizeString($value){
$value = strip_tags($value);
$value = trim($value);
$value = escapeshellcmd($value);
$value = htmlentities($value);

return $value;
}

$send = $_POST[send];

//Email validation 
if (filter_var($from, FILTER_VALIDATE_EMAIL)) {
$email_error = true;
$error_message[] = "Please use a valid email format: name@domain.com";
}     

if($send == 1){$email_sent = true; $step_1 = "complete";}
else{$email_sent = false; $step_1 = "complete";}

if($email_sent === true) {

$from = sanitizeString($_POST['from']);
$to = sanitizeString($_POST['to']);
$name = sanitizeString($_POST['name']);
$title = sanitizeString($_POST['title']);
$company = sanitizeString($_POST['company']);
$phone = sanitizeString($_POST['phone']);
$subject = sanitizeString($_POST['subject']);
$message = sanitizeString($_POST['message']);

// define variables and initialize with empty values
$nameErr = $addressErr = $emailErr = $messageErr = $phoneErr = "";
$name = $address = $email = $message = $phone = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["name"])) {

    $nameErr = "Please enter your name.";
}
else {
    $name = $_POST["name"];
}

if (empty($_POST["email"])) {
    $emailErr = "Please enter your email."; 
}
else {
    $email = $_POST["email"];
}
if (empty($_POST["phone"])) {
    $phoneErr = "Please enter a phone number.";
}
else {
    $phone = $_POST["phone"];
}
if (empty($_POST["message"]))  {
    $messageErr = "Cannot leave message box blank."; 
}
else {
    $message = $_POST["message"];
}

}

//select the correct to address - This hides my email addresses from the source. Would love a better solution if you have one...
switch ($to) {
case "1":
$to = "Contact1@example.com";
break;
case "2":
$to = "Contact2@example.com";
break;
default:
$to = "Contact1@example.com";
break;}

if($message_error !== true && $email_error !== true){
$email_headers = "From:".$from."\nMIME-Version: 1.0 \nContent-type: text/html; charset=iso-8859-1";

$message_send = "<h3>".$name."<br>".$title."<br>".$company."<br>".$phone."<br>".$from."</h3><hr><h4>".$subject."</h4>".$message;

if (mail($to, $subject, $message_send, $email_headers)) {$error_message = "Thank you, your email is on the way!";}
else {$error_message = "There seems to be a problem!";}}

}

?>

为了简单起见而且我不需要HTML支持这一事实,我似乎每个帖子都要求PHP帮助,这里是我的输入字段。在评论输入字段之前是,我使用css,我将它们放在页面的右侧区域。 :)不要试图粗鲁,只是试图阻止上述主题之外的建议... 

<form action="<?php ($_SERVER["PHP_SELF"]);?>" method="post">
<input name="name" placeholder="Name*" type="text" class="text"/><span class="error"><?php echo $nameErr;?></span>
<input type="text" placeholder="Title" name="title" size="50"/>
<input type="text" placeholder="Company" name="company" size="50" />
<input name="phone" placeholder="Phone*" type="tel" size="10" maxlength="10" value="<?php echo htmlspecialchars($phone);?>"/><span class="error" style="color:#990000"><?php echo $phoneErr;?></span>
<input name="from" placeholder="Email*" type="email" class="text" value="<?php echo htmlspecialchars($email);?>"><span class="error"><?php echo $emailErr;?>
<select name="to" size="1">
    <option value="1">Contact1</option>
    <option value="2">Contact2</option>
    </select>
<input type="text" name="subject" placeholder="Subject" size="50" />
<textarea cols="50" rows="4" name="message" placeholder="Type your message here."></textarea>
<input type="hidden" name="send" value="1" /><input type="submit" value="Send" name="email_1" />
</form>

1 个答案:

答案 0 :(得分:0)

你在这里消毒:

//note, moved the setting to "" before sanitizing

// define variables and initialize with empty values
$nameErr = $addressErr = $emailErr = $messageErr = $phoneErr = "";
$name = $address = $email = $message = $phone = "";

$from = sanitizeString($_POST['from']);
$to = sanitizeString($_POST['to']);
$name = sanitizeString($_POST['name']);
$title = sanitizeString($_POST['title']);
$company = sanitizeString($_POST['company']);
$phone = sanitizeString($_POST['phone']);
$subject = sanitizeString($_POST['subject']);
$message = sanitizeString($_POST['message']);

然后只需将变量分配到$_POST(而不是清理变量):

if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["name"])) {

    $nameErr = "Please enter your name.";
}
else { // the else is not necessary; $name is already assigned if not empty.
    $name = $_POST["name"];
}

if (empty($_POST["email"])) {
    $emailErr = "Please enter your email."; 
}
else {  // the else is not necessary; $email is already assigned if not empty.
    $email = $_POST["email"];
}
...

等...

更改最后一位以引用已清理的变量,例如:

if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($name)) { // replaced $_POST['name'] with just $name

    $nameErr = "Please enter your name.";
}

if (empty($email)) { // replaced $_POST['email'] with just $email
    $emailErr = "Please enter your email."; 
}
...

等...

编辑 - 更新 为确保表单已提交,您应该检查“提交”按钮。

(为清楚起见,我会将名称从email_1更改为submitted

因此,在您的HTML中,您有一个提交按钮:

<input type="submit" name="submitted" value="true" >

然后,在验证码中添加以下内容:

if (!isset($_POST['submitted'])){
   $formErr ="The form was not submitted";
   exit(); // this line is optional to the line above it
}

验证字面上说:“如果未设置提交的字段,则抛出错误”;

相关问题
最新问题