0
請告知下面的表單驗證腳本是否足夠安全以避免大多數類型(所有類型)的聯繫表單漏洞利用?我發現這個腳本在線,添加了一些額外的PHP finctions,希望能夠使它更安全,但並不能完全確定它是否適合這個目的。表單驗證評估
if ($_SERVER["REQUEST_METHOD"] == "POST" && !empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
// Get the form fields and remove whitespace.
$name = strip_tags(trim($_POST["name"]));
$name = str_replace(array("\r","\n"),array(" "," "),$name);
$email = filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL);
$message = trim($_POST["message"]);
// Check that data was sent to the mailer.
if (empty($name) OR empty($message) OR !filter_var($email, FILTER_VALIDATE_EMAIL)) {
// Set a 400 (bad request) response code and exit.
//http_response_code(400);
echo "Oops! There was a problem with your submission. Please complete the form and try again.";
exit;
}
// Set the recipient email address.
// FIXME: Update this to your desired email address.
$recipient = "email_here";
// Set the email subject.
$subject = "New contact from $name";
// Build the email content.
$email_content = "Name: $name\n";
$email_content .= "Email: $email\n\n";
$email_content .= "Message:\n$message\n";
// Build the email headers.
$email_headers = "MIME-Version: 1.0\r\n";
$email_headers .= "Content-type: text/html; charset=utf-8\r\n";
$email_headers .= "From: $name <$email>\r\n";
$email_headers .= "Reply-To: $email\r\n";
$email_headers .= "Return-Path: $email\r\n";
$email_headers .= "Organization: Bilingual Counselling\r\n";
// Send the email.
if (mail($recipient, $subject, $email_content, $email_headers)) {
// Set a 200 (okay) response code.
//http_response_code(200);
echo "Thank You! Your message has been sent.";
} else {
// Set a 500 (internal server error) response code.
//http_response_code(500);
echo "Oops! Something went wrong and we couldn't send your message.";
}
}
不確定你在問什麼。你的腳本是否工作或失敗 - 如果是的話,錯誤是什麼?還是你要求進行代碼審查? – 2014-09-30 16:01:44
你應該嘗試一些xss反對它...我們不應該爲你做這件事.. – Pogrindis 2014-09-30 16:02:42
我不是要求代碼給我,我要求代碼回覆和建議 – 2014-09-30 16:05:57