隐藏字段不使用php处理

发布于 2024-08-06 02:08:27 字数 5464 浏览 3 评论 0原文

我为 CMS 创建了一个 Tellafriend 表单。我需要表单中的一些隐藏字段，以便我可以传递主页地址、徽标链接和网络管理员电子邮件地址。但是，隐藏字段的值不会传递到我的邮件文件。您也可以尝试我网站上的表格 http://www.zoosh.me/tellafriend.php php 是否有错误或者我的文件有问题？我真的很感谢你们的帮助。

谢谢， Ovi

<form id="tellafriend" method="post" action="mail.php">
 <fieldset>
  <img id="telllogo" width="170" alt="Logo" src="/perch/resources/1253956138myself-w170.jpg"/>
  <input width="170" type="hidden" alt="Logo" value="/perch/resources/1253956138myself-w170.jpg" name="logo"/>
  <input type="hidden" value="http://www.zoosh.me" name="webaddress"/>
  <ul class="wrapper">
   <li>
    <label class="label" for="yourname">Your Name:</label>
    <input id="yourname" class="text jquery-live-validation-on invalid" type="text" value="" name="yourname"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="youremail">Your Email:</label>
    <input id="youremail" class="text jquery-live-validation-on invalid" type="text" value="" name="youremail"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="friendsname">Friend's Name:</label>
    <input id="friendsname" class="text jquery-live-validation-on invalid" type="text" value="" name="friendsname"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="friendsemail">Friend's Email:</label>
    <input id="friendsemail" class="text jquery-live-validation-on invalid" type="text" value="" name="friendsemail"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="message">
     Your Message
     <br/>
     <small id="charLeft">150 Characters left</small>
    </label>
    <textarea id="message" class="jquery-live-validation-on invalid" cols="10" rows="3" name="message"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li class="inputSubmit">
    <input id="submit" class="submit" type="submit" value="Send"/>
   </li>
  </ul>
  <input type="hidden" value="[email protected]" name="adminaddress"/>
 </fieldset>
</form>

这里是 mail.php 文件的代码，用于处理表单并向访问者的朋友发送电子邮件。

<?php
$yourname = $_POST['yourname'];
$youremail = $_POST['youremail'];
$news = $_POST['news'];
$friendsname = $_POST['friendsname'];
$friendsemail = $_POST['friendsemail'];
$adminemail = $_POST['adminemail'];
$logo = $_POST['logo'];
$webaddress = $_POST['webaddress'];
$subject = "I've found a great website!";
$headers = "From: " . strip_tags($from) . "\r\n";
$headers .= "Reply-To: " . strip_tags($from) . "\r\n";
$headers .= "BCC: [email protected]\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";

$message = $_POST['message'];


$body="<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
<title>Zoosh</title>
</head>
<body>
<table width='90%' cellpadding='0' cellspacing='0'>
<tr>
<td align='center' valign='top'>
 <table width='411' cellpadding='0' cellspacing='0'>
  <tr>
   <td><img src='http://recycledoc.com/emails/zoosh_tellafriend/tdbg.png' width='1' height='450' alt='Tdbg'></td>
   <td background='http://recycledoc.com/emails/zoosh_tellafriend/tellafriendbg.jpg' valign='top' style='padding-top:20px; padding-right:20px; padding-bottom:20px; padding-left:20px;'>
    <table width='370' cellpadding='0' cellspacing='0'>
     <tr>
      <td valign='top' width='170' style='padding-right:10px'><img src='"
      . $webaddress . $logo . "' />
      </td>
      <td valign='top' width='190' style='font-family:Helvetica,Arial,Verdana,sans-serif; font-size:12px; color:#555;'>
       <p style='margin-top:0; margin-bottom:0;'>
        <span style='font-weight:bold;'>From:</span>" . $yourname .         "<br>
        <span style='font-weight:bold;'>Email:</span> <a style='text-decoration:none; color:#6927B2;' href='mailto:" . $youremail . "'>" . $youremail . "</a></p>
       <p style='padding-top:200px;'>" . $message .

       "</p>
       <a href='" . $webaddress . "'><img src='http://recycledoc.com/emails/zoosh_tellafriend/visit.png' width='120' height='20' alt='Visit'></a>
      </td>
     </tr>
    </table>
   </td>
  </tr>
 </table>
</td>
</tr>
</table>

</body>
</html>";

if (mail($friendsemail, $subject, $body, $headers)) {
echo "Thank you for telling your friend about my website. <a href='#' id='goback'>Click here</a> to tell another friend.";
} else {
echo "Sorry. There was a problem sending your email. Please try again!";
}

mail($adminemail, $subject, $body, $headers);
mail($youremail, $subject, $body, $headers);

原文

I've created a tellafriend form for a CMS. I need some hidden fields in the form so that I can pass homepage address, link to logo, and the web admin email address. However, the value of the hidden fields is not passed to my mail file. You could also try the form on my website http://www.zoosh.me/tellafriend.php Is there a bug in php or something is wrong with my files? I would really appreciate your help guys.

Thanks,
Ovi

<form id="tellafriend" method="post" action="mail.php">
 <fieldset>
  <img id="telllogo" width="170" alt="Logo" src="/perch/resources/1253956138myself-w170.jpg"/>
  <input width="170" type="hidden" alt="Logo" value="/perch/resources/1253956138myself-w170.jpg" name="logo"/>
  <input type="hidden" value="http://www.zoosh.me" name="webaddress"/>
  <ul class="wrapper">
   <li>
    <label class="label" for="yourname">Your Name:</label>
    <input id="yourname" class="text jquery-live-validation-on invalid" type="text" value="" name="yourname"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="youremail">Your Email:</label>
    <input id="youremail" class="text jquery-live-validation-on invalid" type="text" value="" name="youremail"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="friendsname">Friend's Name:</label>
    <input id="friendsname" class="text jquery-live-validation-on invalid" type="text" value="" name="friendsname"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="friendsemail">Friend's Email:</label>
    <input id="friendsemail" class="text jquery-live-validation-on invalid" type="text" value="" name="friendsemail"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="message">
     Your Message
     <br/>
     <small id="charLeft">150 Characters left</small>
    </label>
    <textarea id="message" class="jquery-live-validation-on invalid" cols="10" rows="3" name="message"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li class="inputSubmit">
    <input id="submit" class="submit" type="submit" value="Send"/>
   </li>
  </ul>
  <input type="hidden" value="[email protected]" name="adminaddress"/>
 </fieldset>
</form>

Here is the code for the mail.php file that processes the form and sends an email to my visitor's friends.

<?php
$yourname = $_POST['yourname'];
$youremail = $_POST['youremail'];
$news = $_POST['news'];
$friendsname = $_POST['friendsname'];
$friendsemail = $_POST['friendsemail'];
$adminemail = $_POST['adminemail'];
$logo = $_POST['logo'];
$webaddress = $_POST['webaddress'];
$subject = "I've found a great website!";
$headers = "From: " . strip_tags($from) . "\r\n";
$headers .= "Reply-To: " . strip_tags($from) . "\r\n";
$headers .= "BCC: [email protected]\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";

$message = $_POST['message'];


$body="<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
<title>Zoosh</title>
</head>
<body>
<table width='90%' cellpadding='0' cellspacing='0'>
<tr>
<td align='center' valign='top'>
 <table width='411' cellpadding='0' cellspacing='0'>
  <tr>
   <td><img src='http://recycledoc.com/emails/zoosh_tellafriend/tdbg.png' width='1' height='450' alt='Tdbg'></td>
   <td background='http://recycledoc.com/emails/zoosh_tellafriend/tellafriendbg.jpg' valign='top' style='padding-top:20px; padding-right:20px; padding-bottom:20px; padding-left:20px;'>
    <table width='370' cellpadding='0' cellspacing='0'>
     <tr>
      <td valign='top' width='170' style='padding-right:10px'><img src='"
      . $webaddress . $logo . "' />
      </td>
      <td valign='top' width='190' style='font-family:Helvetica,Arial,Verdana,sans-serif; font-size:12px; color:#555;'>
       <p style='margin-top:0; margin-bottom:0;'>
        <span style='font-weight:bold;'>From:</span>" . $yourname .         "<br>
        <span style='font-weight:bold;'>Email:</span> <a style='text-decoration:none; color:#6927B2;' href='mailto:" . $youremail . "'>" . $youremail . "</a></p>
       <p style='padding-top:200px;'>" . $message .

       "</p>
       <a href='" . $webaddress . "'><img src='http://recycledoc.com/emails/zoosh_tellafriend/visit.png' width='120' height='20' alt='Visit'></a>
      </td>
     </tr>
    </table>
   </td>
  </tr>
 </table>
</td>
</tr>
</table>

</body>
</html>";

if (mail($friendsemail, $subject, $body, $headers)) {
echo "Thank you for telling your friend about my website. <a href='#' id='goback'>Click here</a> to tell another friend.";
} else {
echo "Sorry. There was a problem sending your email. Please try again!";
}

mail($adminemail, $subject, $body, $headers);
mail($youremail, $subject, $body, $headers);

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

眼趣 2024-08-13 02:08:27

您绕过了表单的正常提交过程并通过 AJAX 提交：

data: 'yourname=' + yourname + '&youremail=' + youremail + '&friendsname=' + friendsname + '&friendsemail=' + friendsemail + '&message=' + message,

这不包括徽标、网址或管理地址，因此它们当然不会到达 PHP 脚本。

另外，您没有正确转义这些值，因此如果有人包含“&”或这些字段之一中的其他特殊字符，它就会中断。使用 encodeURIComponent，或者，由于您使用的是 jQuery 的 ajax 函数，只需传入一个查找并让 jQuery 为您处理：

data: {'yourname': yourname, ...

还有更多像这样的转义问题。

$headers = "From: " . strip_tags($from) . "\r\n";

Strip_tags 在这里没有用。邮件标头是纯文本； HTML 标签没有特殊含义。然而，危险的是换行符。这将允许攻击者在邮件中添加他们喜欢的任何标头，甚至可能发送多封完全由攻击者控制的邮件。

您应该对要放入邮件标头的所有内容进行严格消毒；特别是非 ASCII 字符和控制字符必须被去除。

  <td valign='top' width='170' style='padding-right:10px'><img src='"
  . $webaddress . $logo . "' />

HTML 注入。 $webaddress 和 $logo 可以包含引号，允许攻击者插入任意 HTML 和 JavaScript 代码。每次将文本放入 HTML 时，都需要 htmlspecialchars($s, ENT_QUOTES)。

允许用户选择任何网址、徽标、管理地址等也是危险的。这是给垃圾邮件发送者的礼物：他们将提交自己的数据和消息，劫持您的网络表单来“告诉朋友”他们自己的阴茎药丸，并使您的服务器被广泛封锁。如果您必须具有“告诉朋友”功能，您需要真正锁定允许的参数；仅仅将它们放在隐藏区域并不能起到保护作用。

You're circumventing the normal submission process of the form and submitting it through AJAX:

data: 'yourname=' + yourname + '&youremail=' + youremail + '&friendsname=' + friendsname + '&friendsemail=' + friendsemail + '&message=' + message,

This does not include logo, webaddress or adminaddress, so of course they do not arrive at the PHP script.

Also you are not correctly escaping those values, so if someone includes a ‘&’ or other special characters in one of those fields, it'll break. Use encodeURIComponent, or, since you are using jQuery's ajax function, just pass a lookup in and let jQuery take care of that for you:

data: {'yourname': yourname, ...

There are more escaping problems like this.

$headers = "From: " . strip_tags($from) . "\r\n";

Strip_tags is not useful here. Mail headers are plain text; HTML tags have no special meaning. What is dangerous, however, is newlines. This would allow an attacker to add any header they like to the mail, or even possibly send multiple, completely-controlled-by-attacker mails.

You should strongly sanitise anything you are going to put in a mail header; non-ASCII and control characters in particular must be stripped.

  <td valign='top' width='170' style='padding-right:10px'><img src='"
  . $webaddress . $logo . "' />

HTML injection. $webaddress and $logo can contain quotes, allowing an attacker to insert arbitrary HTML and JavaScript code. You need htmlspecialchars($s, ENT_QUOTES) every time you put text into HTML.

It is also dangerous to allow the user to choose any webaddress, logo, adminaddress, etc. This is a gift to spammers: they will submit their own data and message, hijacking your webform to “tell a friend” about their own penis pills instead, and getting your server widely blocked. If you must have a ‘tell a friend’ feature you need to really lock down what the parameters are allowed to be; just putting them in a hidden field is no protection.

回复收藏 0 原文