我今天早些时候做了一个简单的注册通讯表格并且工作得非常好。但现在,我意识到该脚本可能容易受到CSRF的影响,因此一个简单的解决方法是添加Google的reCaptcha API。当我想测试脚本时,它只显示空白页面,即使我没有错误。
脚本
<?php
if($_POST['submit']){
require_once('recaptchalib.php');
$privatekey = "private_key";
$resp = recaptcha_check_answer ($privatekey,
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if (!$resp->is_valid) {
// What happens when the CAPTCHA was entered incorrectly
die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
"(reCAPTCHA said: " . $resp->error . ")");
} else {
$to = 'email@domain.com';
$mail_list = $_POST['mail_list'];
$subject = 'New sign up';
$headers = 'From: '. $mail_list .'';
if (!filter_var($mail_list, FILTER_VALIDATE_EMAIL) === false) {
$dodgy_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"bcc:"
);
function is_valid_email($mail_list) {
return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $mail_list);
}
function contains_bad_str($str_to_test) {
$bad_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"Content-Transfer-Encoding:"
,"bcc:"
,"cc:"
,"to:"
);
foreach($bad_strings as $bad_string) {
if(eregi($bad_string, strtolower($str_to_test))) {
echo "<script>alert('". $bad_string ." found. Suspected injection attempt - mail not being sent.');</script>";
exit;
}
}
}
function contains_newlines($str_to_test) {
if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
echo "<script>alert('newline found in ". $str_to_test .". Suspected injection attempt - mail not being sent.');</script>";
exit;
}
}
if (!is_valid_email($mail_list)) {
echo "<script>alert('Invalid email submitted - mail not being sent.');</script>";
exit;
}
contains_bad_str($mail_list);
contains_bad_str(body);
mail($to, $subject, $mail_list, $headers);
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>List</title>
<script src='https://www.google.com/recaptcha/api.js'></script>
</head>
<body>
<form action="" method="post">
<input type="text" name="mail_list" />
<input type="submit" name="submit" value="Sign up" />
<div class="g-recaptcha" data-sitekey="public_key"></div>
<?php
require_once('recaptchalib.php');
$publickey = "public_key"; // you got this from the signup page
echo recaptcha_get_html($publickey);
?>
</form>
</body>
</html>
请注意,如果实际上有一个我没有注意到的错误,那是因为我是PHP的新手,我使用这个site来处理错误。
问候。
答案 0 :(得分:-1)
好的,所以我找到了这个解决方案。如果其他人遇到此类问题,请执行以下操作。
<强>首先
复制JavaScript标记(Google提供给您)并将其添加到HTML标题内或正文标记的末尾。
<强>第二 只需在表单中添加div标签,或者在您的表单中添加div标签。
现在你需要验证用户是否真的回答过这个问题;所以在你的PHP里面写下这个。
PHP脚本
if(isset($_POST['g-recaptcha-response']) && $_POST['g-recaptcha-response']){
// checks if the captecha is empty or not
$secret = "your_secret_key";
// The secret key is the one on your right.
$ip = $_SERVER['REMOTE_ADDR'];
// The end user's ip address.
$captecha = $_POST['g-recaptcha-response'];
$resp = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=$secret&response=$captecha&remoteip=$ip");
// code turns the resp variable to JSON
$arr = json_decode($resp,TRUE);
// decodes the json
if($arr['success']){
// if success write the rest of your php else show an error
}
希望它有所帮助。