当前位置: 首页 > 网络学院 > 服务端脚本教程 > PHP > PHP 安全邮件

PHP
WINDOWS下安装MySQL
PHP 制作 网站/服务器 监视脚本
用PHP和CSS制作活动按钮
PHP 单件模式
PHP MVC模式,类封装以及HACK
PHP 中使用正则表达式
PHP 防止 SQL 注入攻击
PHP 跨站点脚本攻击
PHP 防止用户操纵 GET 变量
PHP 防止远程表单提交

PHP 安全邮件


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-03-01   浏览: 986 ::
收藏到网摘: n/a

There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


PHP E-mail Injections
PHP 如何运行E-mail Injections

First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:

<html>
<body>
<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email { //send email $email = $_REQUEST['email'] ; $subject = $_REQUEST['subject'] ; $message = $_REQUEST['message'] ; mail("[email protected]", "Subject: $subject", $message, "From: $email" ); echo "Thank you for using our mail form"; }
else
//if "email" is not filled out, display the form { echo "<form method='post' action='mailform.php'> Email: <input name='email' type='text' /><br /> Subject: <input name='subject' type='text' /><br /> Message:<br /> <textarea name='message' rows='15' cols='40'> </textarea><br /> <input type='submit' /> </form>"; }
?>
</body>
</html>

The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。

What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?

[email protected]%0ACc:[email protected]
%0ABcc:[email protected],[email protected],
[email protected],[email protected]
%0ABTo:[email protected]

The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections

The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。

The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:

<html>
<body>
<?php
function spamcheck($field) {
//eregi() performs a case insensitive regular expression match if(eregi("to:",$field) || eregi("cc:",$field)) { return TRUE; } else { return FALSE; } }
//if "email" is filled out, send email
if (isset($_REQUEST['email'])) { //check if the email address is invalid $mailcheck = spamcheck($_REQUEST['email']); if ($mailcheck==TRUE) { echo "Invalid input"; } else { //send email $email = $_REQUEST['email'] ; $subject = $_REQUEST['subject'] ; $message = $_REQUEST['message'] ; mail("[email protected]", "Subject: $subject", $message, "From: $email" ); echo "Thank you for using our mail form"; } }
else
//if "email" is not filled out, display the form { echo "<form method='post' action='mailform.php'> Email: <input name='email' type='text' /><br /> Subject: <input name='subject' type='text' /><br /> Message:<br /> <textarea name='message' rows='15' cols='40'> </textarea><br /> <input type='submit' /> </form>"; }
?>
</body>
</html>

评论 (3) 1 All

登陆 | 还没注册?