HTML Contactform安全

Question

我試圖通過HTML-Contactform發送電子郵件。

因此，我創建了這個網站：

<form id="contact_form" action="sendMail.php" method="post"> 
     <input id="firstname" name="firstname" type="text" placeholder="Vorname" value="Firstname"> 
     <input id="lastname" name="lastname" type="text" placeholder="Nachname" value="Lastname"> 
     <input id="mail" name="mail" type="text" placeholder="E-Mail" value="firstname.lastname@web.de"> 
     <textarea id="msg" name="msg" placeholder="Ihre Nachricht..." >Hallo</textarea> 
     <p id="error_print" class="hidden"></p> 
     <input id="contact_submit" type="submit" title="Senden"> 
</form> 

我檢查通過jQuery的輸入和通過Ajax將其發送到PHP的文件和打印我的錯誤HTML。

$('#contact_submit').click(function(){ 
     var that = $('#contact_form'); 
     var first_name = $('#firstname').val(); 
     var last_name = $('#lastname').val(); 
     var mail = $('#mail').val(); 
     var msg = $('msg').val(); 
     if(first_name == "" || last_name == "" || mail == "" || msg == "") 
     { 
      $('#error_print').removeClass("hidden"); 
      $('#error_print').text("Bitte füllen Sie alle Felder aus"); 
     } 
     else 
     { 
      if(!isValidEmailAddress(mail)) 
      { 
       $('#error_print').removeClass("hidden"); 
       $('#error_print').text("Keine korrekte Mail"); 
      } 
      else 
      { 
       if(!$('#error_print').hasClass("hidden")) 
       { 
        $('#error_print').addClass("hidden"); 
       } 

       var url = that.attr('action'), 
        method = that.attr('method'), 
        data = {}; 
       that.find('[name]').each(function(index, value) 
       { 
        var name = $(this).attr('name') 
         value = $(this).val(); 
        data[name] = value; 
       }); 


       //console.log(data); 

       $.ajax({ 
        url: url, 
        type: method, 
        data: data, 
        success: function(response) 
        { 
         $('#error_print').removeClass("hidden"); 
         $('#error_print').text("Mail wurde versendet"); 
        }, 
        error: function(error) 
        { 
         $('#error_print').removeClass("hidden"); 
         $('#error_print').text("Fehler - Bitte erneut versuchen"); 
        } 
       }); 
      } 
     } 
     return false; 
    }); 

在我的PHP，我發送郵件是這樣的：

<?php 
if(isset($_POST['firstname'], $_POST['lastname'], $_POST['mail'], $_POST['msg'])) 
{ 
    $mail = htmlentities($_POST['mail'], ENT_QUOTES); 
    $firstname = htmlentities($_POST['firstname'], ENT_QUOTES); 
    $lastname = htmlentities($_POST['lastname'], ENT_QUOTES); 
    $msg = htmlentities($_POST['msg'], ENT_QUOTES); 


    $empfaenger = "empf@mydomain.de"; 
    $betreff = "Kontaktaufname"; 

    $from = "From: $fistname $lastname <$mail>"; 
    $text = $msg; 
    //print_r($_POST); 
    mail($empfaenger, $betreff, $text, $from) 
}?> 

我不知道這是否是做的最好的方式。爲此，我在郵件中閱讀了關於注射的一篇文章。但我不確定我的腳本是否足夠安全。

Answer 1

派你可以試試這個下面

<?php 

ini_set("SMTP", "smtp.your_internet_service_provider.com"); 
ini_set("smtp_port", 25); 
ini_set("sendmail_from", "your_mail@example.com"); 
ini_set("auth_username", "your_mail@example.com"); 
ini_set("auth_password", "pwd_of_your_mail"); 


// For the fields $sender/$copy/$receiver, comma separated if there are multiple addresses 
$sender = 'your_mail@example.com'; 
$receiver = 'receiver_mail@example.com'; 


$object = 'test msg'; 
$headers = 'MIME-Version: 1.0' . "\n"; // Version MIME 
$headers .= 'Content-type: text/html; charset=ISO-8859-1'."\n"; // the Content-type head for the HTML format 
$headers .= 'Reply-To: '.$sender."\n"; // Mail reply 
$headers .= 'From: "name_of_sender"<'.$sender.'>'."\n"; 
$headers .= 'Delivered-to: '.$receiver."\n"; 


$message = 'Hello from Aotoki !'; 
if (mail($receiver, $object, $message, $headers)) // Send message 
{ 
    echo 'Your message has been sent '; 
} 
else // error 
{ 
    echo "Your message could not be sent"; 
} 
?> 

郵件