PHP 联系表单验证/URL 问题
PHP Contact form Validation / URL issue
我有一个带验证的 php 联系表单,但我设置了 .htaccess,因此它从 url 中删除了 .php,因此 url 看起来更干净(比如 wp urls)。该表单工作得很好,除了当用户提交验证错误并按 "submit" 时,表单验证正常,但它会重新加载带有 .php 扩展名的 url,因此如果他们修复了他们的问题错误并再次提交,我的 "outside url" hacking php 代码启动并且不发送表单,因为 url 不再匹配。
如何在没有页面 "reloading" 的情况下执行验证,或者在没有 url 中的 .php 扩展名的情况下使其验证并重新加载??
PHP:
<?php
// define variables and set to empty values
$nameErr = $fromErr = $messageErr = $subjectErr = $phoneErr = $verif_boxErr = "";
$inquiries = $name = $from = $subject = $message = $verif_box = "";
$errors = 0;
if ($_SERVER["REQUEST_METHOD"] == "POST") { //check if form has been submitted
//Get the inquiries field
$inquiries =$_POST['inquiries'];
if (empty($_POST["name"])) {
$nameErr = " * Name is missing";
$errors = 1;
echo '<style type="text/css"> input#name {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$name = test_input($_POST["name"]);
// check if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z ]*$/", $name)) {
$nameErr = "Only letters and white space allowed";
$errors = 1;
echo '<style type="text/css"> input#name {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
}
}
if (empty($_POST["from"])) {
$fromErr = " * Email is missing";
$errors = 1;
echo '<style type="text/css"> input#from {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$from = test_input($_POST["from"]);
// check if e-mail address is well-formed
if (!filter_var($from, FILTER_VALIDATE_EMAIL)) {
$fromErr = "Invalid email format";
$errors = 1;
echo '<style type="text/css"> input#from {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
}
}
if (empty($_POST["subject"])) {
$subjectErr = " * Subject is missing";
$errors = 1;
echo '<style type="text/css"> input#subject {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$subject = test_input($_POST["subject"]);
}
if (empty($_POST["message"])) {
$messageErr = " * Message is missing";
$errors = 1;
echo '<style type="text/css"> textarea#message {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$message = test_input($_POST["message"]);
}
if (empty($_POST["verif_box"])) {
$verif_boxErr = " * Security code is missing";
$errors = 1;
echo '<style type="text/css"> input#verif_box {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$verif_box = test_input($_POST["verif_box"]);
if (md5($verif_box) . 'a4xn' <> $_COOKIE['tntcon']) {
$verif_boxErr = " * Security code does not match";
$errors = 1;
echo '<style type="text/css"> input#verif_box {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
}
}
if ($errors == 0) { // all fields successfullty validated. final hack check before sending email:
// Stop the form being used from an external URL
$referer = $_SERVER['HTTP_REFERER'] . ".php"; // Get the referring URL
$this_url = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER["REQUEST_URI"]; // Get the URL of this page
// If the referring URL and the URL of this page don't match then
// display a message and don't send the email.
if ($referer != $this_url) {
echo "You do not have permission to use this script from another URL, nice hacking attempt moron.";
exit;
} else { // send the email
$message = "Subject: " . $subject . "\n\nMessage: " . $message;
$message = "Inquiry: " . $inquiries . "\n" . $message;
$message = "Name: " . $name . "\n" . $message;
$message = "From: " . $from . "\n" . $message;
mail("milkytech@gmail.com", 'ContactUs: ' . $subject, $_SERVER['REMOTE_ADDR'] . "\n\n" . $message, "From: Contact@AntiqueCafeBakery.com");
setcookie('tntcon', ''); // delete the cookie so it cannot sent again by refreshing this page
header('Location: success'); // redirect to success page
exit();
}
}
}
function test_input($data)
{
$data = trim($data); // strip unnecessary characters (extra space, tab, newline) from the user input data
$data = stripslashes($data); // remove backslashes (\) from the user input data
$data = htmlspecialchars($data); // pass all variables through PHP's htmlspecialchars() function
return $data;
}
?>
HTML:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" id="contactform">
<div>
<label for="name"><strong>Inquries:</strong></label>
<select name="inquiries" id="inquiries">
<option value="Catering">Catering</option>
<option value="Cookie Gift Tins">Cookie Gift Tins</option>
<option value="Retail Stores">Retail Stores</option>
<option value="Employment">Employment</option>
<option value="Investment">Investment</option>
</select>
</div>
<div>
<label for="name"><strong>Name:</strong></label>
<input type="text" size="50" name="name" id="name" value="<?php echo $name;?>"/><span class="error"><?php echo $nameErr;?></span>
</div>
<div>
<label for="email"><strong>Email:</strong></label>
<input type="text" size="50" name="from" id="from" value="<?php echo $from;?>"/><span class="error"><?php echo $fromErr;?></span>
</div>
<div>
<label for="subject"><strong>Subject:</strong></label>
<input type="text" size="50" name="subject" id="subject" value="<?php echo $subject;?>" />
</div>
<div>
<label for="message"><strong>Message:</strong></label>
<textarea rows="5" cols="69" name="message" id="message"><?php echo $message;?></textarea>
</div>
<div id="verif">
<span>Captcha Code:</span>
<input name="verif_box" type="text" size="10" id="verif_box"/>
<img id="imageid" class="verifbox" src="verificationimage.php?<?php echo rand(0,9999);?>" alt="verification image, type it in the box" />
<input type="button" value="Reload Captcha" id="reload" onclick="reloadImg()" />
<span class="error"><?php echo $verif_boxErr;?></span>
</div>
<div>
<input type="submit" value="Send Message" name="submit" />
<br /><br />
</div> <!--end form-->
</form>
删除要在自己页面上提交的操作值。
<form method="post" action="" id="contactform">
我希望这会奏效
我找到了解决办法。我回到 w3 School 看看 $_SERVER["PHP_SELF"] 在表单验证中到底做了什么,它说:
What is the $_SERVER["PHP_SELF"] variable?
The $_SERVER["PHP_SELF"] is a super global variable that returns the filename of the currently executing script.
What is the htmlspecialchars() function?
The htmlspecialchars() function converts special characters to HTML entities. This means that it will replace HTML characters like < and > with < and >. This prevents attackers from exploiting the code by injecting HTML or Javascript code (Cross-site Scripting attacks) in forms.
所以我想,如果变量 $_SERVER["PHP_SELF"] 返回文件名(在这种情况下 - contact.php,那是我的问题所以只需将 $_SERVER["PHP_SELF"] 替换为 contact没有 .php 扩展名,如下所示:
<form method="post" action="<?php echo htmlspecialchars(contact);?>" id="contactform">
瞧,成功了!但我不确定此解决方法是否会为黑客创造漏洞。
我有一个带验证的 php 联系表单,但我设置了 .htaccess,因此它从 url 中删除了 .php,因此 url 看起来更干净(比如 wp urls)。该表单工作得很好,除了当用户提交验证错误并按 "submit" 时,表单验证正常,但它会重新加载带有 .php 扩展名的 url,因此如果他们修复了他们的问题错误并再次提交,我的 "outside url" hacking php 代码启动并且不发送表单,因为 url 不再匹配。
如何在没有页面 "reloading" 的情况下执行验证,或者在没有 url 中的 .php 扩展名的情况下使其验证并重新加载??
PHP:
<?php
// define variables and set to empty values
$nameErr = $fromErr = $messageErr = $subjectErr = $phoneErr = $verif_boxErr = "";
$inquiries = $name = $from = $subject = $message = $verif_box = "";
$errors = 0;
if ($_SERVER["REQUEST_METHOD"] == "POST") { //check if form has been submitted
//Get the inquiries field
$inquiries =$_POST['inquiries'];
if (empty($_POST["name"])) {
$nameErr = " * Name is missing";
$errors = 1;
echo '<style type="text/css"> input#name {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$name = test_input($_POST["name"]);
// check if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z ]*$/", $name)) {
$nameErr = "Only letters and white space allowed";
$errors = 1;
echo '<style type="text/css"> input#name {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
}
}
if (empty($_POST["from"])) {
$fromErr = " * Email is missing";
$errors = 1;
echo '<style type="text/css"> input#from {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$from = test_input($_POST["from"]);
// check if e-mail address is well-formed
if (!filter_var($from, FILTER_VALIDATE_EMAIL)) {
$fromErr = "Invalid email format";
$errors = 1;
echo '<style type="text/css"> input#from {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
}
}
if (empty($_POST["subject"])) {
$subjectErr = " * Subject is missing";
$errors = 1;
echo '<style type="text/css"> input#subject {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$subject = test_input($_POST["subject"]);
}
if (empty($_POST["message"])) {
$messageErr = " * Message is missing";
$errors = 1;
echo '<style type="text/css"> textarea#message {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$message = test_input($_POST["message"]);
}
if (empty($_POST["verif_box"])) {
$verif_boxErr = " * Security code is missing";
$errors = 1;
echo '<style type="text/css"> input#verif_box {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$verif_box = test_input($_POST["verif_box"]);
if (md5($verif_box) . 'a4xn' <> $_COOKIE['tntcon']) {
$verif_boxErr = " * Security code does not match";
$errors = 1;
echo '<style type="text/css"> input#verif_box {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
}
}
if ($errors == 0) { // all fields successfullty validated. final hack check before sending email:
// Stop the form being used from an external URL
$referer = $_SERVER['HTTP_REFERER'] . ".php"; // Get the referring URL
$this_url = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER["REQUEST_URI"]; // Get the URL of this page
// If the referring URL and the URL of this page don't match then
// display a message and don't send the email.
if ($referer != $this_url) {
echo "You do not have permission to use this script from another URL, nice hacking attempt moron.";
exit;
} else { // send the email
$message = "Subject: " . $subject . "\n\nMessage: " . $message;
$message = "Inquiry: " . $inquiries . "\n" . $message;
$message = "Name: " . $name . "\n" . $message;
$message = "From: " . $from . "\n" . $message;
mail("milkytech@gmail.com", 'ContactUs: ' . $subject, $_SERVER['REMOTE_ADDR'] . "\n\n" . $message, "From: Contact@AntiqueCafeBakery.com");
setcookie('tntcon', ''); // delete the cookie so it cannot sent again by refreshing this page
header('Location: success'); // redirect to success page
exit();
}
}
}
function test_input($data)
{
$data = trim($data); // strip unnecessary characters (extra space, tab, newline) from the user input data
$data = stripslashes($data); // remove backslashes (\) from the user input data
$data = htmlspecialchars($data); // pass all variables through PHP's htmlspecialchars() function
return $data;
}
?>
HTML:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" id="contactform">
<div>
<label for="name"><strong>Inquries:</strong></label>
<select name="inquiries" id="inquiries">
<option value="Catering">Catering</option>
<option value="Cookie Gift Tins">Cookie Gift Tins</option>
<option value="Retail Stores">Retail Stores</option>
<option value="Employment">Employment</option>
<option value="Investment">Investment</option>
</select>
</div>
<div>
<label for="name"><strong>Name:</strong></label>
<input type="text" size="50" name="name" id="name" value="<?php echo $name;?>"/><span class="error"><?php echo $nameErr;?></span>
</div>
<div>
<label for="email"><strong>Email:</strong></label>
<input type="text" size="50" name="from" id="from" value="<?php echo $from;?>"/><span class="error"><?php echo $fromErr;?></span>
</div>
<div>
<label for="subject"><strong>Subject:</strong></label>
<input type="text" size="50" name="subject" id="subject" value="<?php echo $subject;?>" />
</div>
<div>
<label for="message"><strong>Message:</strong></label>
<textarea rows="5" cols="69" name="message" id="message"><?php echo $message;?></textarea>
</div>
<div id="verif">
<span>Captcha Code:</span>
<input name="verif_box" type="text" size="10" id="verif_box"/>
<img id="imageid" class="verifbox" src="verificationimage.php?<?php echo rand(0,9999);?>" alt="verification image, type it in the box" />
<input type="button" value="Reload Captcha" id="reload" onclick="reloadImg()" />
<span class="error"><?php echo $verif_boxErr;?></span>
</div>
<div>
<input type="submit" value="Send Message" name="submit" />
<br /><br />
</div> <!--end form-->
</form>
删除要在自己页面上提交的操作值。
<form method="post" action="" id="contactform">
我希望这会奏效
我找到了解决办法。我回到 w3 School 看看 $_SERVER["PHP_SELF"] 在表单验证中到底做了什么,它说:
What is the
$_SERVER["PHP_SELF"]variable?
The$_SERVER["PHP_SELF"]is a super global variable that returns the filename of the currently executing script.What is the
htmlspecialchars()function?
Thehtmlspecialchars()function converts special characters to HTML entities. This means that it will replace HTML characters like < and > with < and >. This prevents attackers from exploiting the code by injecting HTML or Javascript code (Cross-site Scripting attacks) in forms.
所以我想,如果变量 $_SERVER["PHP_SELF"] 返回文件名(在这种情况下 - contact.php,那是我的问题所以只需将 $_SERVER["PHP_SELF"] 替换为 contact没有 .php 扩展名,如下所示:
<form method="post" action="<?php echo htmlspecialchars(contact);?>" id="contactform">
瞧,成功了!但我不确定此解决方法是否会为黑客创造漏洞。