我为客户制作了一份PHP联系表格,他们回复我说他们收到这样的空白电子邮件:
From:
E-Mail:
Message:
当我以标准方式提交表单时,我已经进行了JavaScript验证,成功拒绝了空白表单。
下面的代码。在此先感谢:)
JS验证:
$("form#submit").submit(function() {
var custname = $('#custname').attr('value');
var custemail = $('#custemail').attr('value');
var custmessage = $('#custmessage').attr('value');
if (custname==null || custname=="" || custemail==null || custemail=="" || custmessage==null || custmessage=="") {
alert("Please fill out the whole form");
return false;
}
PHP邮件页面:
<?php
$to = "name@email.com";
$subject = "Message from website";
$name_field = htmlspecialchars(trim($_POST['custname']));
$email_field = htmlspecialchars(trim($_POST['custemail']));
$message = htmlspecialchars(trim($_POST['custmessage']));
$body = "From: $name_field\n E-Mail: $email_field\n Message: $message";
mail($to, $subject, $body);
?>
答案 0 :(得分:2)
客户端(Javascript)上的任何验证都可以轻松绕过,例如通过使用FireBug检查您的页面。
验证仅在客户端用于UX(用户体验),以使用户的生活更轻松,更快捷。因此,在真正的验证/安全性方面,我们需要在服务器端(PHP)再次执行此操作。
此外,当前的PHP代码向'E-mail Injection'开放。您可以查看此问题以确保其安全Escape string to use in mail()。
答案 1 :(得分:1)
在PHP邮件程序页面中,您可以编写如下内容: -
<?php
// Site Name ( not Site Title )
$dotcom = "Custom Site Name";
$main_mail_arr = array();
$main_mail_arr['admin'] = 'name@email.com';
$main_mail_arr['noReply'] = 'no-reply@email.com';
$main_mail_arr['cc'] = 'cc@email.com';
$main_mail_arr['bcc'] = 'bcc@email.com';
/**
* Mail Function
*/
function genMailing($to, $subj, $body, $from = '', $fromName = '', $reply = true, $cc = '', $bcc = '') {
global $main_mail_arr, $dotcom;
if( empty( $from ) )
$from = $main_mail_arr['noReply'];
if( empty( $fromName ) )
$fromName = $dotcom;
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: $fromName <" . $from . ">\r\n";
if( $reply )
$headers .= "Reply-to: $fromName <" . $from . ">\r\n";
if( !empty( $cc ) )
$headers .= "Cc: " . $cc . "\r\n";
if( !empty( $bcc ) )
$headers .= "Bcc: " . $bcc . "\r\n";
$headers .= "X-Mailer: PHP/" . phpversion() . "\r\n";
$return_str = mail( $to, $subj, $body, $headers );
return $return_str;
}
/**
* Email Validation Function
*/
function checkEmail( $email, $type = true ) {
if(preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$/i", $email)) {
$validResult = true;
}
if($validResult && $type) {
$e = explode("@", $email);
if(@checkdnsrr($e[1])) {
$validResult = true;
}
else {
$validResult = false;
}
}
return $validResult;
}
if (isset( $_POST['custname'] ) && isset( $_POST['custemail'] ) && isset( $_POST['contact_msg'] )) {
$nameError = '';
$emailError = '';
$msgError = '';
$valName = trim( $_POST['custname'] );
$valEmail = trim( $_POST['custemail'] );
$valMsg = trim( $_POST['custmessage'] );
if( empty( $valName ) ) {
$nameError = 'Please provide your Name.';
}
if( !empty($valEmail) && !checkEmail($valEmail, false) ) {
$emailError = 'Please provide your valid Email Address.';
}
if( empty( $valMsg ) ) {
$msgError = 'Please provide your Message / Query / Comments.';
}
if( empty( $nameError ) && empty( $emailError ) && empty( $msgError ) ) {
$to = $main_mail_arr['admin'];
$subject = "Message from website";
$body = '<h2 style="padding-bottom:0px; margin-bottom:0px;">New Details</h2>'.'<hr /><br />'."\r\n\n";
$body .= '<b>Name</b>: '.stripslashes($valName).'<br />'."\n";
$body .= '<b>Email Address</b>: '.stripslashes($valEmail).'<br />'."\n";
$body .= '<b>Message</b>: '.stripslashes($valMsg).'<br />'."\n";
$result = genMailing($to, $subject, $body, $valEmail, $valName, true);
if ($result) {
// Message for successful mail sent
}
}
else {
// Show the form below, with the error messages stored in the error variables
}
}
?>
以上代码主要介绍服务器端验证以及电子邮件验证。但是,您还可以提供比我使用的更严格的电子邮件验证检查,以及Captcha检查。
虽然,上面的代码已经很好地服务了我很多年,必须要提到的是,这个代码片段不是最后一个&amp;完全证明,因为我没有使用任何过滤/清理(如WordPress或其他CMS所做的)所有用户输入。但是,在处理用户输入时,它应该让你很好地开始使用谷歌。
您还可以查看以下一些过滤/清理的链接: -
希望它有所帮助。