我有一份联系表格,出于安全考虑,我想清理所有条目。
以下是我到目前为止所做的工作。
我正在使用这个PHP开始:
$f_name = cleanupentries($_POST["name"]);
$f_email = cleanupentries($_POST["email"]);
$f_message = cleanupentries($_POST["message"]);
$from_ip = $_SERVER['REMOTE_ADDR'];
$from_browser = $_SERVER['HTTP_USER_AGENT'];
function cleanupentries($entry) {
$entry = trim($entry);
$entry = stripslashes($entry);
$entry = htmlspecialchars($entry);
return $entry;
}
我已经知道一些问题,我应该逃避用户代理,所以我将第4行更改为:$from_browser = cleanupentries($_SERVER['HTTP_USER_AGENT']);。
此外,{I}据我所知,由于stripslashes()已被弃用且最近被删除,因此在以后的版本中不再需要magic_quotes。如果有什么应该替换它应该怎样?是否应保留反向兼容性?
我也听说过可以注入换行符,我该如何清理那些换行符呢?
以下是所有内容的使用方式:
HTML文件:
<form name="ajax-form" id="ajax-form" action="php-file.php" method="post">
<label for="name">Name: *
<span class="error" id="err-name">please enter name</span>
</label>
<input name="name" id="name" type="text" />
<label for="email">E-Mail: *
<span class="error" id="err-email">please enter e-mail</span>
<span class="error" id="err-emailvld">e-mail is not a valid format</span>
</label>
<input name="email" id="email" type="text" />
<label for="message">Message:</label>
<textarea name="message" id="message"></textarea>
<button id="send">Submit</button>
<div class="error" id="err-form">There was a problem validating the form please check!</div>
<div class="error" id="err-timedout">The connection to the server timed out!</div>
<div class="error" id="err-state"></div>
</form>
<div id="ajaxsuccess"><h2>Successfully sent!!</h2></div>
PHP文件(php-file.php):
<?php
$send_to = "contact@example.com";
$send_subject = "Ajax form ";
$f_name = cleanupentries($_POST["name"]);
$f_email = cleanupentries($_POST["email"]);
$f_message = cleanupentries($_POST["message"]);
$from_ip = $_SERVER['REMOTE_ADDR'];
$from_browser = $_SERVER['HTTP_USER_AGENT'];
function cleanupentries($entry) {
$entry = trim($entry);
$entry = stripslashes($entry);
$entry = htmlspecialchars($entry);
return $entry;
}
$message = "This email was submitted on " . date('m-d-Y') .
"\n\nName: " . $f_name .
"\n\nE-Mail: " . $f_email .
"\n\nMessage: \n" . $f_message .
"\n\n\nTechnical Details:\n" . $from_ip . "\n" . $from_browser;
$send_subject .= " - {$f_name}";
$headers = "From: " . $f_email . "\r\n" .
"Reply-To: " . $f_email . "\r\n" .
"X-Mailer: PHP/" . phpversion();
if (!$f_email) {
echo "no email";
exit;
}else if (!$f_name){
echo "no name";
exit;
}else{
if (filter_var($f_email, FILTER_VALIDATE_EMAIL)) {
mail($send_to, $send_subject, $message, $headers);
echo "true";
}else{
echo "invalid email";
exit;
}
}
?>
答案 0 :(得分:2)
如果保存到数据库:
赞成准备好的陈述http://fr2.php.net/pdo.prepared-statements
或使用PDO库http://php.net/manual/en/book.pdo.php
但至少要使用mysqli_real_escape_string(); http://php.net/manual/en/mysqli.real-escape-string.php
编辑:如果您只是通过电子邮件发送信息而不是将其保存到数据库,那么您可以使用几个函数来正确测试为新行输入的数据以及尝试进行电子邮件注入的错误字符串。
/*-----------------------------------------------------------------------
FUNCTION: containsBadStr();
PURPOSE: Checks for email injection attempts
ARGUMENTS: $str_to_test string, email message, headers, etc.
-----------------------------------------------------------------------*/
function containsBadStr($str_to_test) {
if (preg_match("/(bcc:|cc:|to:|content-type:|mime-version:|multipart\/mixed|Content-Transfer-Encoding:|http)/i", $str_to_test)) {
return TRUE;
} else {
return FALSE;
}
}
/*-----------------------------------------------------------------------
FUNCTION: containsNewlines();
PURPOSE: Checks email message has newlines
ARGUMENTS: $str_to_test string, email address
-----------------------------------------------------------------------*/
function containsNewlines($str_to_test) {
if (preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
return TRUE;
} else {
return FALSE;
}
}
您还需要运行strip_tags()以防止对您的表单进行XSS攻击......
答案 1 :(得分:-2)
如果要将这些变量放在数据库中,只需使用
即可 mysql_real_escape_string()
所以
$entry = mysql_real_escape_string($entry);
请注意,您需要先打开数据库连接才能使用mysql_real_escape_string函数。