如果我的PHP代码已经打开漏洞需要意见

时间:2014-02-28 08:56:37

标签: php mailer honeypot

新手在这里。请多多包涵。所以我做了一个php邮件脚本。它执行字段的基本验证,返回错误,否则提交,如果一切都好。但它也有一个蜜罐字段,不需要填写(我假设通过使用css隐藏它,spambot将填充该字段)。如果该字段不为空,则会打开一个文本文件并在其上写入/附加尝试,并且还会发送该尝试的电子邮件警报。

<?php 
//print_r($_POST);
$error['name'] ="";
$error['company']="";
$error['email'] ="";
$error['subject'] ="";
$error['message'] ="";
$error['website'] ="";
$success = "";
$thistime = time();
$current_date = date('m/d/Y/T ==> H:i:s');

if(isset($_POST['_save'])) {
    $name = stripslashes($_POST['name']);
    $email = stripslashes($_POST['email']);
    $company = stripslashes($_POST['company']);
    $message = stripslashes($_POST['message']);
    $subject = stripslashes($_POST['subject']);
    $website = stripslashes($_POST['website']);

    if (empty($name) || empty($email) || empty($subject) || empty($message) ||
            !empty($website)) {
    if (empty($name))
       $error['name'] = "Please enter your Full Name";
    if (empty($email))
       $error['email'] = "Please enter a valid Email Address";
    if (empty($company))
       $error['company'] = "Please enter Your Company Name";
    if (empty($subject))
       $error['subject'] = "Please Write a Subject";
    if (empty($message))
       $error['message'] = "Please write a message, inquiries or
               other concerns above";
    if (!empty($website))
       $error['subject'] = "Opps looks like you're a spambot. You 
              just filled in a not required field.;
      $myFile = "botlog.txt";
      $fh = fopen($myFile, 'a') or die("can't open file");
      $stringData = "bot trapped" . " " . "-"  . " " . $website . " " . "-
                    " . " " . $current_date . "\r\n";
      fwrite($fh, $stringData);
      fclose($fh);
      $donot="donotreply@whatever.com";
      $headers="From: {$email}\r\nReply-To: {$donot}"; //create headers
      mail('opps@gmail.com',$headers,$stringData);
    }
    else { //if not empty
    stripslashes($headers);
    $headers="From: {$email}\r\nReply-To: {$email}"; //create headers
    $content="Name: ".$name."\r\n\r\nCompany: "
               .$company."\r\n\r\nSubject: ".$subject."\r\n\r\nMessage: ".$message;
    mail('opps@gmail.com',$subject,$content,$headers); //mails it
    $success = "Thank you! You're email has been sent.";
    #done;
    }
}
?>

我做得对吗?这会打开任何漏洞吗?我愿意接受任何建议和改进。感谢。

1 个答案:

答案 0 :(得分:0)

你没有消毒你的POST变量..这是一个非常常见的错误

相关问题
最新问题