cakephp 表单收到垃圾邮件 - 怎么办?
我有一个简单的 cakephp 表单,带有提交到数据库的验证。它不需要登录用户。
不通过浏览器正常使用表单并且不填写所有必填字段会导致验证错误并且不会提交表单。
然而,我似乎收到了某人/某事的垃圾邮件。他们正在填写通用命名字段(姓名、电子邮件、消息等),但不是模糊的字段,并且这些记录将进入数据库,因此它们显然绕过了验证!
我的问题是如何??? (我怎样才能阻止它们?)
我感觉我错过了一个明显的漏洞或其他东西...
这是我的添加方法:
function add() {
$this->pageTitle = 'Projects - Submit Project';
if (!empty($this->data)) {
$this->Project->create();
if ($this->Project->save($this->data)) {
$this->Session->setFlash(__('The Project has been saved', true));
$this->_sendStaffMail($this->Project->id);
$this->_sendClientMail($this->Project->id);
$this->redirect(array('controller' => 'pages', 'action'=>'thanks'));
} else {
$this->Session->setFlash(__('The Project could not be saved. Please, try again.', true));
}
}
}
来自模型的验证:
var $validate = array(
'name' => array('notempty'),
'department' => array('notempty'),
'client' => array('notempty'),
'contact_name' => array('notempty'),
'email' => array('email'),
'phone' => array('notempty'),
'title' => array('notempty'),
'background' => array('notempty'),
'objectives' => array('notempty'),
'target_audience' => array('notempty'),
'message' => array('notempty'),
'logos' => array('notempty'),
'images' => array('notempty'),
'print_info' => array('notempty')
);
我还应该提到我已经尝试过使用安全组件,但是当我的项目中有大量表单时,这似乎太过了(尽管它们支持身份验证登录)
I have a simple cakephp form WITH validation that submits to a database. It doesn't require a logged in user.
No using the form normally via a browser and not filling in all required fields causes validation errors and the form is not submitted.
However, I seem to be getting spammed by someone/something. They are filling the generic named fields (name,email,message etc) but not the obscure ones and these records are going into the database so they're obviously bypassing the validation!
My question is HOW??? (and how can I stop them?)
I have the feeling I'm missing an obviously loop hole or something...
This is my add method:
function add() {
$this->pageTitle = 'Projects - Submit Project';
if (!empty($this->data)) {
$this->Project->create();
if ($this->Project->save($this->data)) {
$this->Session->setFlash(__('The Project has been saved', true));
$this->_sendStaffMail($this->Project->id);
$this->_sendClientMail($this->Project->id);
$this->redirect(array('controller' => 'pages', 'action'=>'thanks'));
} else {
$this->Session->setFlash(__('The Project could not be saved. Please, try again.', true));
}
}
}
And validation from Model:
var $validate = array(
'name' => array('notempty'),
'department' => array('notempty'),
'client' => array('notempty'),
'contact_name' => array('notempty'),
'email' => array('email'),
'phone' => array('notempty'),
'title' => array('notempty'),
'background' => array('notempty'),
'objectives' => array('notempty'),
'target_audience' => array('notempty'),
'message' => array('notempty'),
'logos' => array('notempty'),
'images' => array('notempty'),
'print_info' => array('notempty')
);
I should also mention I have tried playing with the Security component but it seems over kill when my project has tons of forms throughout it (altho they're behind Auth login)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您需要扩展验证数组以包含比简单语法允许的更多选项。
对规则的注释应该解释为什么每个键都在那里。 notEmpty 规则和allowEmpty => false 是多余的,但我想在声明中添加一条规则,以便您可以看到其中的密钥,并记住将其替换为适当的验证规则( isUnique、minLength 等)
编辑:更多信息
基本上发生的事情是有人发布请求直接到包含带有明显键的后数组的表单操作。根据您的验证规则,如果省略了某些更具体信息的键,则不会对这些字段进行验证检查。要使 cake 不仅验证密钥的数据,还验证密钥本身的存在性,请使用必需的 =>;真正的旗帜。如果键还不能只包含空格或空值(required => true 只是确保该字段包含在表单中),则可以使用allowEmpty =>错误的。
You need to expand your validation array to include a few more options than the simple syntax allows for.
The comments on the rule should explain why each key is in there. The notEmpty rule and the allowEmpty => false are redundant but i wanted a rule in the declaration so that you would see the key in there and remember to replace it with an appropriate validation rule ( isUnique, minLength etc )
Edited : more info
Basically what is happening is somebody is posting a request directly to the form action that includes a post array with the obvious keys. As your validation rules stand, if the keys for some of the more specific info are omitted there is no validation check for those fields. To make cake validate not only the data for the keys but also the existence of the key itself use the required => true flag. If the key must also not contain just whitespace or an empty value ( required => true simply makes sure the field was included in the form ) you use the allowEmpty => false.
我猜测垃圾邮件发送者传递的帖子数据不包含 target_audience 等字段,因此在保存模型时 Cake 不会验证它。
您想要做的是添加“必需”验证规则。
“空”规则仅检查数据数组中传递的值是否不是空格,“必需”规则确保该字段在保存模型之前实际存在。
I'm guessing the post data the spammer is passing doesn't contain fields like target_audience and Cake isn't validating it for that reason when the model is saved.
What you want to do is add 'required' validation rule.
The 'empty' rules only check if the value is passed in the data array that it isn't whitespace, 'required' assures that the field actually exists before the model is saved.
我在这里说的是一般性的(即不是 CakePHP 特有的),但是验证码字段值得考虑吗?
另外,molom 反垃圾邮件服务怎么样?除了那些流量大的网站运营商之外,许多网站运营商都可以免费使用此功能。适用于任何 CMS。
I'm talking really generally here (i.e. not CakePHP specific), but would a captcha field be worthwhile considering?
Also what about the mollom anti-spam service? This free to many website operators except for those that have a lot of traffic. Works with any CMS.
您的 CakePHP 是否接受安全或证明用户是人类的问题作为可选参数?看看 CakePHP 使用从客户端表单传递到服务器的 HTTP 表单 POST CGI 参数数据做什么(即执行流向哪里,运行什么 PHP 代码)。
您的数据库登录名/密码足够安全吗?
Is your CakePHP accepting security or proof-that-the-user-is-human questions as optional arguments parameters? Have a look at what CakePHP does (i.e. where the execution flows to, what PHP code is run) with the HTTP Form POST CGI parameter data passed to your server from your client-side form.
Are your database login/passwords secure enough?