安全电子邮件表单、标头注入查询
我正在使用以下功能来清理我的联系表单中的输入:
<?php
$name = strip_tags(stripslashes($_POST['name']));
//this is repeated for several other fields, then:
if(isInjected($name)) { die(); }
/* see isInjected function below */
// send the mail
?>
我正在使用此功能:
<?php
/* function from http://phpsense.com/php/php-mail.html */
function isInjected($str) {
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str)) {
return true;
}
else {
return false;
}
}
?>
这足以清理我的联系表单吗?
谢谢。
I'm using the following to clean up input from my contact form:
<?php
$name = strip_tags(stripslashes($_POST['name']));
//this is repeated for several other fields, then:
if(isInjected($name)) { die(); }
/* see isInjected function below */
// send the mail
?>
I'm using this function:
<?php
/* function from http://phpsense.com/php/php-mail.html */
function isInjected($str) {
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str)) {
return true;
}
else {
return false;
}
}
?>
Is this sufficient to clean up my contact form?
thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
附带说明一下,代码有点臃肿。它可以很容易地被修剪:
As a side note that code is a little bloated. It can be trimmed down quite easily:
它看起来相当不错,并且比平均输入验证更好。我个人也更喜欢处理输入类型。在我的基本控制器中,我有几个函数来检查输入是否是有效的出生日期、电子邮件地址等。如果您将此类验证添加到现有验证中,我认为您可以很好地处理它。
It seems prettey decent and better than average inputvalidation. Personanlly I also prefer handling inputtypes. In my basecontroller I have several functions to check wether input is a valid date of birth, emailaddress, etc. If you add such validation to your existing validation you're handling it well IMO.