将过时的eregi()替换为stristr()。这个php邮件脚本是否安全,不会被头注入?
将过时的eregi()替换为stristr()。这个php邮件脚本是否安全,不会被头注入?
提问于 2012-12-08 09:14:24
多年来,我一直使用相同的php脚本从联系人表单发送电子邮件。但是,当我的web服务器升级到php 5.3时,对eregi的调用导致显示不推荐使用的错误。
在谷歌上搜索后,我发现我可以使用stristr而不是eregi。
当我进行这个简单的切换时,一切都运行得很好,但我不是php向导,所以我想知道我的脚本是否仍然安全,不会被头注入。
谁能让我放心,并确认这个脚本是安全的(或至少足够安全),可以用来从联系人表单发送电子邮件?
下面是使用stristr的当前脚本的示例:
<?
$to="myemail@gmail.com";
// the $Name is the PHP variable, the _Post['Name'] should match the name of the input boxes in the form
$Name=$_POST['Name'];
$Email=$_POST['Email'];
$Phone=$_POST['Phone'];
$Message=$_POST['Message'];
// you can format the email anyway you want.
$message="Form submitted by $Name
Applicant Information:\n
Name: $Name
Email: $Email
Phone: $Phone
Message: $Message";
// Check for script HiJack
$arBadStr = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:");
foreach($_POST as $tName => $tVal){
foreach($arBadStr as $tStr){
if(stristr($tStr, $tVal)){
$fSub = "Failed: Header Injection.";
reportError($fSub);
}}}
if(mail($to,"mywebsite.com contact Form Submission",$message,"From: $Name <$Email>")) {
echo "Thank you $Name for your interest. We will contact you shortly";
} else {
echo "There was a problem sending the mail. Please check that you filled in the form correctly.";
}
// Report error function called when test detects hijacking. Mails report to webmaster and kills process.
function reportError($fSub) {
while(list($name, $value) = each($_POST)) {
$eBody .= "$name : $value \n\r"; }
mail( "myemail@gmail.com", $fSub, $eBody, "From: Webmaster <myemail@gmail.com>");
exit(header("Location: http://www.mywebsite.com")); }
?>更新
基于神秘的帮助,这就是我的新脚本的样子。如您所见,我去掉了一些头验证函数,而不是简单地清理输入字段。
<?
$to="myemail@gmail.com";
// the $Name is the PHP variable, the _Post['Name'] should match the name of the input boxes in the form
$Name = str_replace(array("\n", "\r"), '', $_POST['Name']);
$Email = str_replace(array("\n", "\r"), '', $_POST['Email']);
$Phone = str_replace(array("\n", "\r"), '', $_POST['Phone']);
$Message = str_replace(array("\n", "\r"), '', $_POST['Message']);
function clean_string($string) {
$bad = array("content-type","bcc:","to:","cc:","href");
return str_replace($bad,"",$string);
}
$Name = clean_string($Name);
$Email = clean_string($Email);
$Phone = clean_string($Phone);
$Message = clean_string($Message);
// you can format the email anyway you want.
$message="Form submitted by $Name
Applicant Information:\n
Name: $Name
Email: $Email
Phone: $Phone
Message: $Message";
if(mail($to,"mywebsite.com contact Form Submission",$message,"From: $Name <$Email>")) {
echo "Thank you $Name for your interest. We will contact you shortly";
} else {
echo "There was a problem sending the mail. Please check that you filled in the form correctly.";
}
?>回答 1
Stack Overflow用户
回答已采纳
发布于 2012-12-08 09:40:27
您尝试将密件抄送、抄送等邮件头列入黑名单,但阻止收件人、发件人失败。
RFC822在第16页的4.1节中指出:
此规范允许大多数字段多次出现。除非另有说明,否则此处未指定它们的解释,因此不鼓励使用它们。
因此,攻击者将能够操纵该消息来添加其他收件人和发件人。您实际上应该只检查换行符和回车符,或者仅通过剥离\r和\n字符来清理所有$_POST值。
<?php
function clean_string($string)
{
return str_replace(array("\n", "\r"), '', $string);
}
$to = 'myemail@gmail.com';
// the $Name is the PHP variable, the _Post['Name'] should match the name of the input boxes in the form
$Name = clean_string($Name);
$Email = clean_string($Email);
$Phone = clean_string($Phone);
$Message = clean_string($Message);
// you can format the email anyway you want.
$message = "Form submitted by $Name
Applicant Information:\n
Name: $Name
Email: $Email
Phone: $Phone
Message: $Message";
if (mail($to, 'mywebsite.com contact Form Submission', $message, "From: $Name <$Email>"))
{
echo 'Thank you ' . htmlspecialchars($Name) . ' for your interest. We will contact you shortly';
}
else
{
echo "There was a problem sending the mail. Please check that you filled in the form correctly.";
}
?>页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/13773451
复制相关文章
相似问题
腾讯云开发者
