如何防止人们随意访问表单操作页面

时间:2014-09-30 04:44:21

标签: php html forms

我正在创建一个引用PHP文件以发送电子邮件的HTML表单。然而,人们不断点击表单的操作页面,然后向我发送一封没有填写信息的电子邮件。我想通过某种方式保护该操作页面免受外部命中。

这是我的代码:

HTML表单:

<form name="homecontact" action="/admin/formactions/writequick.php" method="POST">
        <input name="name" placeholder="Name"></input>
        <input name="email" placeholder="Email"></input>
        <input name="phone" placeholder="Phone"></input>
        <textarea name="message" placeholder="Message"></textarea>
        <input type="submit" style="background:MidnightBlue; color:white;">
</form>

PHP脚本:

<?php
$to      = 'myemailaddress@example.com';
$subjectadmin = 'CONTACT FORM from My Website';
$subjectuser = 'Contact Confirmation from My Website';
$name = $_POST['name'];  
$email = $_POST['email'];
$phone = $_POST['phone'];
$comments = $_POST['message'];
$messageadmin = 'A customer just submitted a form on Your Website.  Here is their message:' . "\n" . "\n" . 'Name:' . '   ' . $name . "\n" . 'Email:' . '   ' . $email . "\n" . 'Phone:' . '   ' . $phone . "\n" . 'Comments:' . '   ' . $comments . "\n";
$messageuser = 'Hello,' . ' ' . $name . '!' . "\n" . "\n" . 'Thank you for contacting My Website!  We have received your contact form and we will get back to you as soon as we can.' . "\n" . "\n" . 'Just for your records, here is what you submitted to us:' . "\n" . 'Name:' . '  ' . $name . "\n" . 'Email:' . '  ' . $email . "\n" . 'Phone:' . '  ' . $phone . "\n" . 'Comments:' . '  ' . $comments . "\n" . "\n" . 'Thank you for choosing My Website!';
$headers = 'From: myotheraddress@example.com' . "\r\n" .
    'X-Mailer: PHP/' . phpversion();

mail($to, $subjectadmin, $messageadmin, $headers);
mail($email, $subjectuser, $messageuser, $headers);
?>

表单完美无缺,但我不知道如何阻止人们访问该操作页面,除非他们通过表单。

6 个答案:

答案 0 :(得分:1)

  

&#34;我喜欢它,但是如果只有一个字段是空白的,它还会发送吗?如果他们不愿意,我不希望别人提供他们的联系信息。&#34;

最快修复:命名您的提交按钮

<input type="submit" style="background:MidnightBlue; color:white;" name="submit">

并将您的代码包装在条件语句中。

if(isset($_POST['submit'])){

    // rest of your PHP/mail code

}

然后只需使用标题重定向邮件成功

...
mail($email, $subjectuser, $messageuser, $headers);
header("Location: http://www.example.com/");
exit;

在表单中使用此选项:(将其替换为您现有的表格)

<input type="submit" style="background:MidnightBlue; color:white;" name="submit">

重写:

<?php
if(isset($_POST['submit'])) {

$to      = 'myemailaddress@example.com';
$subjectadmin = 'CONTACT FORM from My Website';
$subjectuser = 'Contact Confirmation from My Website';
$name = $_POST['name'];  
$email = $_POST['email'];
$phone = $_POST['phone'];
$comments = $_POST['message'];
$messageadmin = 'A customer just submitted a form on Your Website.  Here is their message:' . "\n" . "\n" . 'Name:' . '   ' . $name . "\n" . 'Email:' . '   ' . $email . "\n" . 'Phone:' . '   ' . $phone . "\n" . 'Comments:' . '   ' . $comments . "\n";
$messageuser = 'Hello,' . ' ' . $name . '!' . "\n" . "\n" . 'Thank you for contacting My Website!  We have received your contact form and we will get back to you as soon as we can.' . "\n" . "\n" . 'Just for your records, here is what you submitted to us:' . "\n" . 'Name:' . '  ' . $name . "\n" . 'Email:' . '  ' . $email . "\n" . 'Phone:' . '  ' . $phone . "\n" . 'Comments:' . '  ' . $comments . "\n" . "\n" . 'Thank you for choosing My Website!';
$headers = 'From: myotheraddress@example.com' . "\r\n" .
    'X-Mailer: PHP/' . phpversion();

mail($to, $subjectadmin, $messageadmin, $headers);
mail($email, $subjectuser, $messageuser, $headers);

// redirect after mail sent
header("Location: http://www.example.com/"); // modify it to your site
exit;

}

else{ echo "You can't do that from here."; }
?>

答案 1 :(得分:0)

你可以试试这个:

<?php
if($_SERVER['REQUEST_METHOD']=='POST' && !empty($_POST)) {

    // you should also validate your _POST data (email syntaxis, etc)

    $to      = 'myemailaddress@example.com';
    $subjectadmin = 'CONTACT FORM from My Website';
    $subjectuser = 'Contact Confirmation from My Website';
    $name = $_POST['name'];  
    $email = $_POST['email'];
    $phone = $_POST['phone'];
    $comments = $_POST['message'];
    $messageadmin = 'A customer just submitted a form on Your Website.  Here is their message:' . "\n" . "\n" . 'Name:' . '   ' . $name . "\n" . 'Email:' . '   ' . $email . "\n" . 'Phone:' . '   ' . $phone . "\n" . 'Comments:' . '   ' . $comments . "\n";
    $messageuser = 'Hello,' . ' ' . $name . '!' . "\n" . "\n" . 'Thank you for contacting My Website!  We have received your contact form and we will get back to you as soon as we can.' . "\n" . "\n" . 'Just for your records, here is what you submitted to us:' . "\n" . 'Name:' . '  ' . $name . "\n" . 'Email:' . '  ' . $email . "\n" . 'Phone:' . '  ' . $phone . "\n" . 'Comments:' . '  ' . $comments . "\n" . "\n" . 'Thank you for choosing My Website!';
    $headers = 'From: myotheraddress@example.com' . "\r\n" .
        'X-Mailer: PHP/' . phpversion();

    mail($to, $subjectadmin, $messageadmin, $headers);
    mail($email, $subjectuser, $messageuser, $headers);
}
?>

这样,如果用户直接进入该页面(在GET模式下)并不重要。它必须通过一个post表单来实际调用 mail()函数。您还可以通过在表单中​​添加隐藏输入来添加一个简单的附加安全层(以避免来自其他站点的帖子请求):

<input type="hidden" name="hash" value="<?=md5(date("Y-m-d H"))?>">

然后在writequick.php文件的开头应用此验证:

if($_POST['hash'] == md5(date("Y-m-d H"))) {

我希望有所帮助!

答案 2 :(得分:0)

将代码包装在

if($_SERVER['REQUEST_METHOD']=='POST'){
    //Do stuff here
}

这将确保用户在做任何事情之前发出帖子请求。您还需要在邮寄之前验证变量是否具有值。使用

if(!empty($_POST['variable_key_here'])){
    //Do stuff here
}

答案 3 :(得分:0)

您可以查看$_POST超级全局数组

   <?php
    if(isset($_POST['name'])) {
    $to      = 'myemailaddress@example.com';
    $subjectadmin = 'CONTACT FORM from My Website';
    $subjectuser = 'Contact Confirmation from My Website';
    $name = $_POST['name'];  
    $email = $_POST['email'];
    $phone = $_POST['phone'];
    $comments = $_POST['message'];
    $messageadmin = 'A customer just submitted a form on Your Website.  Here is their message:' . "\n" . "\n" . 'Name:' . '   ' . $name . "\n" . 'Email:' . '   ' . $email . "\n" . 'Phone:' . '   ' . $phone . "\n" . 'Comments:' . '   ' . $comments . "\n";
    $messageuser = 'Hello,' . ' ' . $name . '!' . "\n" . "\n" . 'Thank you for contacting My Website!  We have received your contact form and we will get back to you as soon as we can.' . "\n" . "\n" . 'Just for your records, here is what you submitted to us:' . "\n" . 'Name:' . '  ' . $name . "\n" . 'Email:' . '  ' . $email . "\n" . 'Phone:' . '  ' . $phone . "\n" . 'Comments:' . '  ' . $comments . "\n" . "\n" . 'Thank you for choosing My Website!';
    $headers = 'From: myotheraddress@example.com' . "\r\n" .
        'X-Mailer: PHP/' . phpversion();

    mail($to, $subjectadmin, $messageadmin, $headers);
    mail($email, $subjectuser, $messageuser, $headers);
    } else {
      die("Access denied");
    }
   ?>

答案 4 :(得分:0)

您提交邮件联系方式的代码是正确的,但是 没有验证。

我们有许多方法来验证表单:

1.您可以在表单中使用CAPTCHA。

2.Client Side Java Script Validations以及服务器端PHP验证,以检查正确的电子邮件模式,空字段,html特殊字符以及所有。

检查此链接:

http://www.w3schools.com/php/php_form_url_email.asp

http://www.w3schools.com/js/js_form_validation.asp

有许多验证方法,只需根据您的要求使用Google,您的问题就会得到解决。

答案 5 :(得分:-2)

试试这个

<form name="homecontact" action="/admin/formactions/writequick.php?action=mail" method="POST">
</form>
在你的writequick.php页面中

if(isset($_GET['action'])){
//place your mail code


}
相关问题
最新问题