我是php新手,我正在使用一个简单的表单在主页上发帖给我发电子邮件。
这是表格:
<form data-abide action="anfrage.php" method="post">
<fieldset>
<div class="row">
<div class="large-12 columns">
<label>Firma
<input type="text" name="firm" placeholder="Firma" />
</label>
</div>
</div>
<div class="row">
<div class="large-4 columns">
<label>Anrede
<select name="salutation">
<option value="-">-</option>
<option value="Herr">Herr</option>
<option value="Frau">Frau</option>
</select>
</label>
</div>
<div class="large-8 columns">
<label>Name <small>benötigt</small>
<input type="text" name="name" placeholder="Ansprechpartner" required pattern="[a-zA-Z]+">
</label>
<small class="error">Bitte geben Sie einen Ansprechpartner an!</small>
</div>
</div>
<div class="row">
<div class="large-4 columns">
<label>Adresse <small>benötigt</small>
<input type="text" name="address" placeholder="Strasse, PLZ, Stadt" />
</label>
<small class="error">Bitte geben Sie eine Adresse an!</small>
</div>
<div class="large-4 columns">
<label>eMail <small>benötigt</small>
<input type="eMail" name="email" placeholder="eMail" required/>
</label>
<small class="error">Bitte geben Sie eine gültige eMail-Adresse an!</small>
</div>
<div class="large-4 columns">
<label>Telefon <small>benötigt</small>
<input type="text" name="phoneno" placeholder="0123 0815..." required/>
</label>
<small class="error">Bitte geben Sie eine gültige Telefonnummer an!</small>
</div>
</div>
<div class="row">
<div class="large-6 columns">
<label>Art der Anfrage</label>
<input type="radio" name="radio" id="dryhire" value="Vermietung"><label for="dryhire">Vermietung</label>
<input type="radio" name="radio" id="event" value="Veranstaltung"><label for="event">Veranstaltung</label>
<input type="radio" name="radio" id="consultation" value ="Beratung"><label for="consultation">Beratung</label>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<label>Was können wir für Sie tun?<small>benötigt</small>
<textarea name="text" placeholder="Erläutern Sie uns kurz was Sie wann und wo benötigen." required pattern=""></textarea>
</label>
<small class="error">Bitte erläutern Sie kurz Ihr Anliegen!</small>
</div>
</div>
<div class="antispam">Wenn Sie kein Roboter sind lassen sie diesen Bereich einfach leer: <input type="text" name="url" /></div>
<button class="large-12 columns button" type="submit">ANFRAGEN</button>
</fieldset>
</form>
anfrage.php看起来像这样:
<?php
$to = "anfrage@myhomepage.de";
$subject = $_POST["radio"];
$email = $_POST["email"];
$returnPage = 'http://myhomepage.de#success';
$returnErrorPage = 'http://myhomepage.de#error';
$dodgy_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"bcc:"
);
function is_valid_email($email) {
return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+
[a-z]{2,6}))$#si', $email);
}
function contains_bad_str($str_to_test) {
$bad_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"Content-Transfer-Encoding:"
,"bcc:"
,"cc:"
,"to:"
);
foreach($bad_strings as $bad_string) {
if(eregi($bad_string, strtolower($str_to_test))) {
header("Location: " . $returnErrorPage);
exit;
}
}
}
function contains_newlines($str_to_test) {
if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
header("Location: " . $returnErrorPage);
exit;
}
}
function isEmpty($str_to_test){
return preg_match('/\S/', $str_to_test);
}
function checkFormCompletion($str_to_test){
contains_bad_str($str_to_test);
if(isEmpty($str_totest)){
header("Location: " . $returnErrorPage);
exit;
}
else
return $str_to_test;
}
if($_SERVER['REQUEST_METHOD'] != "POST"){
header("Location: " . $returnErrorPage);
exit;
}
if (!is_valid_email($email)) {
header("Location: " . $returnErrorPage);
exit;
}
$body .= "Firma: " .checkFormCompletion($_POST['firm']);
$body .= "\n";
$body .= "Ansprechpartner: " .checkFormCompletion($_POST['salutation']) ." "
.checkFormCompletion($_POST['name']);
$body .= "\n";
$body .= "Adresse: " .checkFormCompletion($_POST['address']);
$body .= "\n";
$body .= "Telefonnummer: " .checkFormCompletion($_POST['phoneno']);
$body .= "\n";
$body .= "\n";
$body .= "Anfrage: " .checkFormCompletion($_POST['text']);
contains_bad_str($email);
contains_bad_str($subject);
contains_newlines($email);
contains_newlines($subject);
checkFormCompletion($subject);
if(isset($_POST['url']) && $_POST['url'] == ''){
$mailSent = @mail($to, $subject, $body, "From: ".$email);
}
else {
header("Location: " . $returnErrorPage);
}
if($mailSent == TRUE) {
header("Location: " . $returnPage);
} else {
header("Location: " . $returnErrorPage);
}
exit();
?>
虽然imho没有空的电子邮件应该通过我,我继续得到这样的电子邮件:
To: anfrage@myhomepage.de
From: bflaccus@anyaddressyoucanimagine.com
Subject:
Body:
Firma:
Ansprechpartner: Herr 59d4f7714f4d7
Adresse:
Telefonnummer:
Anfrage:
某些情况下,它每天只有一个电子邮件,有时候是30 + 我不知道为什么我继续获得这些电子邮件。 你知道如何避免它吗? 或者你知道我的anfrage.php中存在安全问题吗?
提前致谢!
答案 0 :(得分:1)
你的checkFormCompletion函数中有一个拼写错误,所以它总是将字段评估为空。
function checkFormCompletion($str_to_test){
contains_bad_str($str_to_test);
if(isEmpty($str_totest)){ // $str_totest should be $str_to_test
你知道PHP已经有一个函数来检查变量是否为空,对吧? empty