PHP联系人表单验证/ URL问题

时间:2018-06-30 20:36:44

标签: php validation contact-form

我有一个带有验证的php联系人表单,但我设置了.htaccess,因此它从网址中删除了.php,因此该网址看起来更干净(如wp网址)。该表单非常有用,除了当用户提交验证错误并按“提交”时,该表单可以很好地进行验证,但是它会以.php扩展名重新加载url,因此,如果他们修复了错误并再次提交,我的“外部url”黑客php代码启动,由于网址不再匹配,因此无法发送表单。

如何在没有页面“重新加载”的情况下执行验证,或者使其在URL中没有.php扩展名的情况下进行验证和重新加载?

PHP:

<?php
// define variables and set to empty values
$nameErr = $fromErr = $messageErr = $subjectErr = $phoneErr = $verif_boxErr = "";
$inquiries = $name = $from = $subject = $message = $verif_box = "";
$errors  = 0;

if ($_SERVER["REQUEST_METHOD"] == "POST") { //check if form has been submitted
  //Get the inquiries field
    $inquiries =$_POST['inquiries'];

      if (empty($_POST["name"])) {
        $nameErr = " * Name is missing";
        $errors  = 1;
        echo '<style type="text/css"> input#name {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
    } else {
        $name = test_input($_POST["name"]);
        // check if name only contains letters and whitespace
        if (!preg_match("/^[a-zA-Z ]*$/", $name)) {
            $nameErr = "Only letters and white space allowed";
            $errors  = 1;
            echo '<style type="text/css"> input#name {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
        }
    }
    if (empty($_POST["from"])) {
        $fromErr = " * Email is missing";
        $errors  = 1;
        echo '<style type="text/css"> input#from {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
    } else {
        $from = test_input($_POST["from"]);
        // check if e-mail address is well-formed
        if (!filter_var($from, FILTER_VALIDATE_EMAIL)) {
            $fromErr = "Invalid email format";
            $errors  = 1;
            echo '<style type="text/css"> input#from {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
        }
    }
    if (empty($_POST["subject"])) {
        $subjectErr = " * Subject is missing";
        $errors  = 1;
        echo '<style type="text/css"> input#subject {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
    } else {
        $subject = test_input($_POST["subject"]);
    }
    if (empty($_POST["message"])) {
        $messageErr = " * Message is missing";
        $errors  = 1;
        echo '<style type="text/css"> textarea#message {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
    } else {
        $message = test_input($_POST["message"]);
    }
    if (empty($_POST["verif_box"])) {
        $verif_boxErr = " * Security code is missing";
        $errors       = 1;
        echo '<style type="text/css"> input#verif_box {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
    } else {
        $verif_box = test_input($_POST["verif_box"]);
        if (md5($verif_box) . 'a4xn' <> $_COOKIE['tntcon']) {
            $verif_boxErr = " * Security code does not match";
            $errors       = 1;
            echo '<style type="text/css"> input#verif_box {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
        }
    }
    if ($errors == 0) { // all fields successfullty validated. final hack check before sending email:
        // Stop the form being used from an external URL        
        $referer  = $_SERVER['HTTP_REFERER'] . ".php";  // Get the referring URL        
        $this_url = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER["REQUEST_URI"];    // Get the URL of this page
        // If the referring URL and the URL of this page don't match then
        // display a message and don't send the email.
        if ($referer != $this_url) {
            echo "You do not have permission to use this script from another URL, nice hacking attempt moron.";
            exit;
        } else {   // send the email
            $message = "Subject: " . $subject . "\n\nMessage: " . $message;
            $message = "Inquiry: " . $inquiries . "\n" . $message;
            $message = "Name: " . $name . "\n" . $message;
            $message = "From: " . $from . "\n" . $message;
            mail("milkytech@gmail.com", 'ContactUs: ' . $subject, $_SERVER['REMOTE_ADDR'] . "\n\n" . $message, "From: Contact@AntiqueCafeBakery.com");            
            setcookie('tntcon', '');    // delete the cookie so it cannot sent again by refreshing this page
            header('Location: success');    // redirect to success page
            exit();
        }
    }
}
function test_input($data)
{
    $data = trim($data);    // strip unnecessary characters (extra space, tab, newline) from the user input data
    $data = stripslashes($data);    // remove backslashes (\) from the user input data
    $data = htmlspecialchars($data);    // pass all variables through PHP's htmlspecialchars() function
    return $data;
}
?>

HTML:

       <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" id="contactform">
            <div>
                <label for="name"><strong>Inquries:</strong></label>
                <select name="inquiries" id="inquiries">
                  <option value="Catering">Catering</option>
                  <option value="Cookie Gift Tins">Cookie Gift Tins</option>
                  <option value="Retail Stores">Retail Stores</option>
                  <option value="Employment">Employment</option>
                  <option value="Investment">Investment</option>

                </select>
            </div>

            <div>
                <label for="name"><strong>Name:</strong></label>
                <input type="text" size="50" name="name" id="name" value="<?php echo $name;?>"/><span class="error"><?php echo $nameErr;?></span>
            </div>

            <div>
                <label for="email"><strong>Email:</strong></label>
                <input type="text" size="50" name="from" id="from" value="<?php echo $from;?>"/><span class="error"><?php echo $fromErr;?></span>
            </div>

            <div>
                <label for="subject"><strong>Subject:</strong></label>
                <input type="text" size="50" name="subject" id="subject" value="<?php echo $subject;?>" />
            </div>

            <div>
                <label for="message"><strong>Message:</strong></label>
                <textarea rows="5" cols="69" name="message" id="message"><?php echo $message;?></textarea>
            </div>
            <div id="verif">
                <span>Captcha Code:</span>
                <input name="verif_box" type="text" size="10" id="verif_box"/>
                <img id="imageid" class="verifbox" src="verificationimage.php?<?php echo rand(0,9999);?>" alt="verification image, type it in the box" />
                <input type="button" value="Reload Captcha" id="reload" onclick="reloadImg()" />

                <span class="error"><?php echo $verif_boxErr;?></span>
            </div>
            <div>
                <input type="submit" value="Send Message" name="submit" />
                <br /><br />
            </div> <!--end form-->
        </form>

2 个答案:

答案 0 :(得分:-1)

删除要在自身页面上提交的操作值。 

   <form method="post" action="" id="contactform">

我希望这会起作用

答案 1 :(得分:-1)

我想出了一个解决方案。我回到w3 School来确切地了解PAGE_EXECUTE_READ在表单验证中的作用,它说:

  

什么是$_SERVER["PHP_SELF"]变量?
  $_SERVER["PHP_SELF"]是一个超全局变量,它返回当前正在执行的脚本的文件名。

     

什么是$_SERVER["PHP_SELF"]函数?
  htmlspecialchars()函数将特殊字符转换为HTML实体。这意味着它将用<和>替换<和>之类的HTML字符。这样可以防止攻击者通过以表单形式注入HTML或Javascript代码(跨站点脚本攻击)来利用代码。

因此,我认为,如果变量htmlspecialchars()返回文件名(在这种情况下为contact.php,则存在我的问题,因此只需将$_SERVER["PHP_SELF"]替换为$_SERVER["PHP_SELF"],而不添加.php扩展名如下:

contact

Voilà,成功了!但是我不确定这种解决方法是否会为黑客带来漏洞。

相关问题
最新问题