我是一个PHP黑客。洞察力非常受欢迎,因为它可以帮助我找出出错的地方。
基本上我为自己的目的改编了this contact form。 Javascript验证效果很好!似乎php验证也正常工作。直到我开始从我自己的表单中获取空白提交。我试图避免在此表单中添加验证码。空白提交是令人讨厌的,如果有人能指出我在我的改编中犯了错误,我会很高兴。谢谢你的时间。
表单HTML
<?php include('/ajax/verify.php');?>
<form action="/ajax/" method="post" id="sendEmail">
<h4>Contact Us</h4>
<p class="alert">* All fields are required</p>
<ol class="forms">
<li><label for="username">Your Name</label><input type="text" name="username" id="username" value="" /></li>
<li><label for="emailFrom">Your Email</label><input type="text" name="emailFrom" id="emailFrom" value="" /></li>
<li><label for="phonenumber">Phone Number</label><input type="text" name="phonenumber" id="phonenumber" value="" /></li>
<li><label for="message">Message</label><textarea name="message" id="message"></textarea></li>
<li class="buttons"><button type="submit" id="submit">Send Email »</button><input type="hidden" name="submitted" id="submitted" value="true" /></li>
</ol>
</form>
Javascript验证
//Ajax Form
$(document).ready(function(){
$("#submit").click(function(){
$(".error").hide();
var hasError = false;
var emailReg = /^([\w-\.]+@([\w-]+\.)+[\w-]{2,4})?$/;
var phoneReg = /^\(?(\d{3})\)?[- ]?(\d{3})[- ]?(\d{4})$/;
//from email
var emailFromVal = $("#emailFrom").val();
if(emailFromVal == '') {
$("#emailFrom").after('<span class="error">You forgot to enter the email address to send from.</span>');
hasError = true;
} else if(!emailReg.test(emailFromVal)) {
$("#emailFrom").after('<span class="error">Enter a valid email address to send from.</span>');
hasError = true;
}
//name
var usernameVal = $("#username").val();
if(usernameVal == '') {
$("#username").after('<span class="error">You forgot to enter your name.</span>');
hasError = true;
}
//phone
var phonenumberVal = $("#phonenumber").val();
if(phonenumberVal == '') {
$("#phonenumber").after('<span class="error">You forgot to enter your phone number.</span>');
hasError = true;
} else if(!phoneReg.test(phonenumberVal)) {
$("#phonenumber").after('<span class="error">Enter a valid phone number.</span>');
hasError = true;
}
//message
var messageVal = $("#message").val();
if(messageVal == '') {
$("#message").after('<span class="error">You forgot to enter the message.</span>');
hasError = true;
}
if(hasError == false) {
$(this).hide();
$("#sendEmail li.buttons").append('<img src="/ajax/img/ajax-loader.gif" alt="Loading" id="loading" />');
$.post("/ajax/sendEmail.php",
{ emailFrom: emailFromVal, username: usernameVal, phonenumber: phonenumberVal, message: messageVal },
function(data){
$("#sendEmail").slideUp("normal", function() {
$("#sendEmail").before('<h4 class="success">Thank You</h4><p class="success">One of our highly trained staff will contact with you shortly.</p>');
});
}
);
}
return false;
});
});
验证脚本(php)
if(isset($_POST['submitted'])) {
if($_POST['emailFrom'] == '') {
$emailFromError = 'You forgot to enter the email address to send from.';
} else if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}$", $_POST['emailFrom'])) {
$emailFromError = 'Enter a valid email address to send from.';
}
if($_POST['phonenumber'] == '') {
$emailFromError = 'You forgot to enter the email address to send from.';
} else if (!eregi("/^\(?(\d{3})\)?[- ]?(\d{3})[- ]?(\d{4})$/$", $_POST['phonenumber'])) {
$emailFromError = 'Enter a valid email address to send from.';
}
if($_POST['message'] == '') {
$messageError = 'You forgot to enter the message.';
}
if($_POST['username'] == '') {
$messageError = 'You forgot your name.';
}
if(!isset($emailFromError) && !isset($messageError)) {
include('sendEmail.php');
include('thanks.php');
}
}
Mailscript
$mailTo = 'redacted@emailaddress.com';
$mailFrom = $_POST['emailFrom'];
$username = $_POST['username'];
$phonenumber = $_POST['phonenumber'];
$subject = "New website inquiry from $username";
$message = $_POST['message'];
$message = wordwrap($message, 70);
$messagebody = "From: $username Phone Number: $phonenumber $message";
mail($mailTo, $subject, $messagebody, "From: ".$mailFrom);
答案 0 :(得分:1)
而不是只是在邮件正文中查找空字符串,而是需要删除所有空格字符(使用类似trim()
和然后的内容对于那里的内容。
现在看来,有人可以简单地输入一些空格字符,然后通过PHP验证。
最后,请记住,javascript验证只是有用的速度提升,用户广告不可信赖进行验证,因为我可以在关闭javascript的情况下使用您的网站
答案 1 :(得分:1)
在验证中,您可能希望执行以下操作:
foreach($_POST as $name => $value) {
$_POST[$name] = trim($value);
}
验证看起来很合理,但如果他们为所有必填字段放置一个空格,似乎空白提交可能会通过。我不确定这是不是发生了什么,但从我看到的情况来看,看起来空值不应该通过服务器端验证。
任何可能填写表单的机器人都会忽略javascript,因此请确保服务器验证不严格。
答案 2 :(得分:1)
似乎(通过文件名判断)如果某人禁用了javascript,他或她会直接发布到邮件脚本,并且没有进行服务器端验证。
你需要改变这个:
<form action="/ajax/sendEmail.php" method="post" id="sendEmail">
为:
<form action="/ajax/validation.php" method="post" id="sendEmail">
或调用任何验证脚本。