当前位置: 文江博客话题详情

使用 Swiftmailer 的 PHP 驱动的 HTML 联系表单的安全性如何?

发布于 2024-11-18 22:15:25 字数 1148 浏览 3 评论 0原文

我的网站上有一个 PHP 驱动的 HTML 联系表单。目前我使用 PHP mail() 函数。因此,我必须进行许多用户输入验证,以避免电子邮件标头注入攻击。我认为我是安全的,但我可能忘记了一些东西,我想迁移到一个可靠的 PHP 电子邮件库。我选择的库是 Swiftmailer

现在我想检查 Swiftmailer 是否解决了以下问题:

  1. 删除或转义发件人姓名中的 <> 字符。
  2. 从发件人姓名中删除换行符(\n\r\n...)。
  3. 从电子邮件主题中删除或转义换行符。
  4. 规范邮件正文(电子邮件的内容)中的换行符。根据 PHP 文档,应在内容中使用 \n ,并应使用 \r\n 作为电子邮件标头分隔符。

PS:我尝试联系 Swiftmailer 团队提出我的问题,但没有成功,所以我在这里尝试。

编辑:

我用 Swiftmailer 做了一些测试用例,这是我到目前为止发现的:

  1. 当你在发件人的姓名,您会收到无法送达电子邮件错误邮件。这可能会在某种程度上导致您的邮件服务器遭受 DOS 攻击(也许我错了)。这正常吗?!
  2. 换行符被转义,因此注入攻击失败。
  3. 换行符被转义,因此注入攻击失败。
  4. 经过测试,但我无法看到 Swiftmailer 做了什么(如果它做了什么)。所以我在这里还处于黑暗之中。

有人可以帮我澄清#1 和#4 吗?我不确定这是否是正常行为......

原文

I have a PHP driven HTML contact form on my site. Currently I use the PHP mail() function. Because of that I have to do many user input validation to avoid email header injection attacks. I think I'm secure, but I probably forgot something and I want to move to a solid PHP email library. The library I selected is Swiftmailer.

Now I want to check if Swiftmailer address the following:

  1. Removes or escape < and > characters in sender names.
  2. Removes newlines (\n, \r\n...) from sender names.
  3. Removes or escape newlines from email subject.
  4. Normalize newlines in message body (the content of the email). As per the PHP docs, \n should be used in content and \r\n as email headers separator.

PS: I tried to contact the Swiftmailer team with my questions without success so I'm trying here.

Edit:

I did some test cases with Swiftmailer and this is what I found so far:

  1. When you have a < or > in the name of a sender, you get a Undeliverable email error mail. This can somewhat lead in a DOS attack of your mail server (maybe I'm wrong). Is this normal?!
  2. The newlines are escaped so the injection attack fails.
  3. The newlines are escaped so the injection attack fails.
  4. Tested but I'm unable to see what Swiftmailer do (if it does something). So I'm still in the dark here.

Can someone clarify #1 and #4 for me? I'm not sure if it's normal behavior...

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

獨角戲 2024-11-25 22:15:25

编辑:这个答案可能已过时。在我写这篇文章时,SwiftMailer 库存在一些问题。此时,SwiftMailer 一切工作正常,并且被认为是更好的库,比 PHPMailer 提供更多功能。

我建议你使用 phpmailer。它是我用过的最稳定的邮件库之一。下面是一个应该可以工作的示例代码:

include("./phpmailer/class.phpmailer.php");
$mail = new PHPMailer(false); // the true param means it will throw exceptions on errors, which we need to catch
$mail->IsSMTP();
$mail->Host = "YourDomainName.com";
$mail->SMTPDebug = 2;
$mail->SMTPAuth = true;
$mail->SMTPSecure = "tls";
$mail->Host = "YourSMTPMailServer.com";
$mail->Port = 587;
$mail->Username = "[email protected]";
$mail->Password = "password"; // GMAIL password
$mail->AddAddress("[email protected]", '<< >> ! " Receiver Name');
$mail->SetFrom('[email protected]', '<< >> ! " Sender Name');
$mail->Subject = "A testing subject";
$mail->AltBody = 'To view the message, please use an HTML compatible email viewer!';
$mail->MsgHTML('This is my <b>html</b> testing email, sent '.time());
$mail->Send();

您需要对其进行配置,以便它连接到您的电子邮件服务器,但它应该可以工作。 Phpmailer 逃脱了到目前为止我尝试过的一切。我唯一要检查的是“[电子邮件受保护]”。我用这段代码来做:

$email = "[email protected]";
$email = filter_var(filter_var($email,FILTER_SANITIZE_EMAIL),FILTER_VALIDATE_EMAIL);

if($email){
    echo "This email is valid!";
} else {
    echo "This email is INVALID!";
}

我希望这有帮助:)

EDIT: This answer may be obsolete. At the time I wrote this, there were some problems with the SwiftMailer library. At this point, everything is working fine with the SwiftMailer and is considered to be the better library with a lot more to offer than PHPMailer.

I would suggest you use phpmailer. It is one of the most stable mailing libraries I've ever used. Here's an example code that should be working:

include("./phpmailer/class.phpmailer.php");
$mail = new PHPMailer(false); // the true param means it will throw exceptions on errors, which we need to catch
$mail->IsSMTP();
$mail->Host = "YourDomainName.com";
$mail->SMTPDebug = 2;
$mail->SMTPAuth = true;
$mail->SMTPSecure = "tls";
$mail->Host = "YourSMTPMailServer.com";
$mail->Port = 587;
$mail->Username = "[email protected]";
$mail->Password = "password"; // GMAIL password
$mail->AddAddress("[email protected]", '<< >> ! " Receiver Name');
$mail->SetFrom('[email protected]', '<< >> ! " Sender Name');
$mail->Subject = "A testing subject";
$mail->AltBody = 'To view the message, please use an HTML compatible email viewer!';
$mail->MsgHTML('This is my <b>html</b> testing email, sent '.time());
$mail->Send();

You'll need to configure this so that it connects to your email server but it should be working. Phpmailer escapes so far everything I've tried. The only I'm checking is "[email protected]". I do it with this code:

$email = "[email protected]";
$email = filter_var(filter_var($email,FILTER_SANITIZE_EMAIL),FILTER_VALIDATE_EMAIL);

if($email){
    echo "This email is valid!";
} else {
    echo "This email is INVALID!";
}

I hope this helps :)

回复 原文
~没有更多了~

关于作者

陌路终见情

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文