2014-09-30 51 views
0

請告知下面的表單驗證腳本是否足夠安全以避免大多數類型(所有類型)的聯繫表單漏洞利用?我發現這個腳本在線,添加了一些額外的PHP finctions,希望能夠使它更安全,但並不能完全確定它是否適合這個目的。表單驗證評估

if ($_SERVER["REQUEST_METHOD"] == "POST" && !empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') { 
    // Get the form fields and remove whitespace. 
    $name = strip_tags(trim($_POST["name"])); 
    $name = str_replace(array("\r","\n"),array(" "," "),$name); 
    $email = filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL); 
    $message = trim($_POST["message"]); 

    // Check that data was sent to the mailer. 
    if (empty($name) OR empty($message) OR !filter_var($email, FILTER_VALIDATE_EMAIL)) { 
     // Set a 400 (bad request) response code and exit. 
     //http_response_code(400); 
     echo "Oops! There was a problem with your submission. Please complete the form and try again."; 
     exit; 
    } 

    // Set the recipient email address. 
    // FIXME: Update this to your desired email address. 
    $recipient = "email_here"; 

    // Set the email subject. 
    $subject = "New contact from $name"; 

    // Build the email content. 
    $email_content = "Name: $name\n"; 
    $email_content .= "Email: $email\n\n"; 
    $email_content .= "Message:\n$message\n"; 

    // Build the email headers. 

    $email_headers = "MIME-Version: 1.0\r\n"; 
    $email_headers .= "Content-type: text/html; charset=utf-8\r\n"; 
    $email_headers .= "From: $name <$email>\r\n"; 
    $email_headers .= "Reply-To: $email\r\n"; 
    $email_headers .= "Return-Path: $email\r\n"; 
    $email_headers .= "Organization: Bilingual Counselling\r\n"; 

    // Send the email. 
    if (mail($recipient, $subject, $email_content, $email_headers)) { 
     // Set a 200 (okay) response code. 
     //http_response_code(200); 
     echo "Thank You! Your message has been sent."; 
    } else { 
     // Set a 500 (internal server error) response code. 
     //http_response_code(500); 
     echo "Oops! Something went wrong and we couldn't send your message."; 
    } 

} 
+0

不確定你在問什麼。你的腳本是否工作或失敗 - 如果是的話,錯誤是什麼?還是你要求進行代碼審查? – 2014-09-30 16:01:44

+0

你應該嘗試一些xss反對它...我們不應該爲你做這件事.. – Pogrindis 2014-09-30 16:02:42

+0

我不是要求代碼給我,我要求代碼回覆和建議 – 2014-09-30 16:05:57

回答

1

這是不安全的。例如,你不用$message做任何事情 - 你應該在這裏使用strip_tags()函數。現在你把這個變量持有的東西直接放入電子郵件內容中。

+0

謝謝,編輯。還有更多擔憂嗎? – 2014-09-30 16:18:07