1

我最近为我的一个自由客户开发了一个网站,在他们的网站中有一个联系表和一个估价请求表。

每天一次,两种表格都被提交并通过电子邮件发送到指定的电子邮件地址。但是,提交的表单显然不是来自真实用户,这是因为所有字段都包含数字 1。例如,名称字段将是名称:1,地址字段将是地址:1。对于所有输入文本字段,甚至单选框和复选框表单字段,都会重复数字 1。

下面是我用来提交估算表单请求的 PHP 文件的副本。

<?
$subject="Associated Sennott Contractors Request For Estimate From:".$_GET['firstname'];
$headers= "From: ".$_GET['email']."\n";
$headers.='Content-type: text/html; charset=iso-8859-1';
mail("email@gmail.com", $subject,  "
    <html>
        <head>
            <title>Associated Sennott Contractors Request For Estimate</title>
    </head>
<body>
    <p><strong>Associated Sennott Contractors Request For Estimate</strong></p>
    <p>
        First Name: ".$_GET['firstname']." <br />
        Last Name: ".$_GET['lastname']." <br />
        Company Name: ".$_GET['company']." <br />
        Address 1: ".$_GET['address1']." <br />
        Address 2: ".$_GET['address2']." <br />
        City: ".$_GET['city']." <br />
        State: ".$_GET['state']." <br />
        Zip: ".$_GET['zip']." <br />
        Phone: ".$_GET['phone']." <br />
        Fax: ".$_GET['fax']." <br />
        Email: ".$_GET['email']." <br /><br />

        <strong>Property Type:</strong><br />
        Residential Single Family: ".$_GET['singlefamily']." <br />
        Residential Multi-Family: ".$_GET['multifamily']." <br />
        Residential Out-Building : ".$_GET['outbuilding']." <br />
        Commercial Office: ".$_GET['commercial']." <br />
        Retail Store: ".$_GET['retail']." <br />
        Restaurant: ".$_GET['restaurant']." <br />
        Industrial Building: ".$_GET['industrial']." <br /><br />

        <strong>Requested Services:</strong><br />
        Fire, Water or Wind Damage Restoration: ".$_GET['restoration']." <br />
        Scope of Loss Estimate to Insurance Company: ".$_GET['scope']." <br />
        Smoke Odor Remediation: ".$_GET['smoke']." <br />
        Exterior Remodeling or Siding: ".$_GET['exterior']." <br />
        Interior Remodeling: ".$_GET['interior']." <br />
        Hardwood and Laminate Flooring: ".$_GET['flooring']." <br />
        Finish Carpentry: ".$_GET['carpentry']." <br />
        Demolition and Debris Removal: ".$_GET['demo']." <br />
        Exterior Decks, Patios and Fencing: ".$_GET['patio']." <br />
        Other: ".$_GET['other']." <br /><br />

        <strong>Additional Information:</strong><br />
        Message: ".$_GET['info']."
    </p>  
</body>
</html>" , $headers);
header( 'Location: thankyou.html' ) ;
?>

您还可以通过以下链接查看 PHP 代码:http: //sennottcontractors.com/home-repair-estimate/quote-code.html

然后,您可以查看下面实际表单的 HTML 代码:

<!DOCTYPE>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Request An Estimate Form</title>
<script type="text/javascript">
function formSubmit()
{
document.getElementById("estimate-form").submit();
}
</script>

</head>
<body>
<fieldset>
<legend><h3>Request a Home Restoration Estimate</h3></legend>
    <form id="estimate-form" name="estimate-form" target="_parent" method="get" action="quote.php" onsubmit='return formValidator()'>
        <p><strong>Contact Information</strong></p>
            <p>First Name: *<br />
            <input type="text" size="40" name="firstname" id="firstname" /></p>
            <p>Last Name: *<br />
            <input type="text" size="40" name="lastname" id="lastname" /></p>
            <p>Company Name:<br />
            <input type="text" size="40" name="company" id="company" /></p>
            <p>Address 1: *<br />
            <input type="text" size="40" name="address1" id="address1" /></p>
            <p>Address 2:<br />
            <input type="text" size="40" name="address2" id="address2" /></p>
            <p>City: *<br />
            <input type="text" size="30" name="city" id="city" /></p>
            <p>State: *<br />
            <input type="text" size="5" name="state" id="state" /></p>
            <p>Zip: *<br />
            <input type="text" size="10" name="zip" id="zip" /></p>
            <p>Phone: *<br />
            <input type="text" size="20" name="phone" id="phone" /></p>
            <p>Fax:<br />
            <input type="text" size="20" name="fax" id="fax" /></p>
            <p>Email: *<br />
            <input type="text" size="40" name="email" id="email" /></p>
        <br />
        <p><strong>Property Type</strong> *</p>
            <p><input type="checkbox" name="singlefamily" id="singlefamily"/> Residential Single Family</p>
            <p><input type="checkbox" name="multifamily" id="multifamily"/> Residential Multi-Family <em>(Condominium, apartment, town house, ect)</em></p>
            <p><input type="checkbox" name="outbuilding" id="outbuilding"/> Residential Out-Building <em>(Garage, shed, ect)</em></p>
            <p><input type="checkbox" name="commercial" id="commercial"/> Commercial Office</p>
            <p><input type="checkbox" name="retail" id="retail"/> Retail Store</p>
            <p><input type="checkbox" name="restaurant" id="restaurant"/> Restaurant</p>
            <p><input type="checkbox" name="industrial" id="industrial"/> Industrial Building</p>
        <br />
        <p><strong>Requested Services</strong> *</p>
            <p><input type="checkbox" name="restoration" id="restoration"/> Fire, Water or Wind Damage Restoration</p>
            <p><input type="checkbox" name="scope" id="scope"/> Scope of Loss Estimate to Insurance Company</p>
            <p><input type="checkbox" name="smoke" id="smoke"/> Smoke Odor Remediation</p>
            <p><input type="checkbox" name="exterior" id="exterior"/> Exterior Remodeling or Siding</p>
            <p><input type="checkbox" name="interior" id="interior"/> Interior Remodeling</p>
            <p><input type="checkbox" name="flooring" id="flooring"/> Hardwood and Laminate Flooring</p>
            <p><input type="checkbox" name="carpentry" id="carpentry"/> Finish Carpentry</p>
            <p><input type="checkbox" name="demo" id="demo"/> Demolition and Debris Removal</p>
            <p><input type="checkbox" name="patio" id="patio"/> Exterior Decks, Patios and Fencing</p>
            <p><input type="checkbox" name="other" id="other"/> Other</p>
        <br />
    <p><strong>Additional Information</strong><br />
    Please provide any information regarding details of your home restoration project or additional information to your requested services.</p>
    <p><textarea rows="10" cols="65" id="info" name="info"></textarea></p>
    <button type="submit" id="submit" onclick="formSubmit()">Submit</button>
    </form>
    <p>* Required Fields</p>
</fieldset>
</body>
</html>

使用上述 PHP 文件和代码的 Request an Estimate 表单,您可以通过以下链接查看:http: //sennottcontractors.com/home-repair-estimate/index.html

同样,“请求估算表”和“联系表”每天都提交一次,每个表单字段中的数字为 1。

我的猜测是,这可能是 PHP 文件本身的问题,也可能是托管网站的服务器端的问题。

请帮忙!!!

4

3 回答 3

2

这个问题的一部分是您需要使用表单随机数或“令牌”。

表单.php

<?php
session_start();

$_SESSION['token'] = md5(mt_rand() . unique_id('form', TRUE));

...

?>
<form>
<input type="hidden" value="<?php print $_SESSION['token']; ">
...
</form>

进程.php

<?php
session_start();

if($_SESSION['token'] !== $_POST['token'])
{
    die('They did not load the form!');
}

...

(validation)

...

$db->insert($record);
于 2012-08-07T17:01:18.377 回答
2

您的表格在技术上没有任何问题。您自己说了问题的原因:“......提交的表单显然不是来自真实用户......”。所以解决方案是让你的表单反机器人。请参阅专业网站管理员网站上的这个问题,了解如何做到这一点:让您的网站反机器人?

于 2012-08-07T16:52:40.120 回答
1

你没有做任何验证。你能指望什么?

任何人都可以抓取表单字段,创建 URL(因为您使用的是 GET 而不是 POST),然后如果他们愿意就提交它。您可能遇到的是一个机器人,它试图弄清楚它是否可以劫持您的表单以将电子邮件发送到它想要发送的位置。

您应该做的是切换到使用 POST 并检查$_SERVER['HTTP_REFERER']变量以确保它来自您的表单(至少)。您也可以使用 CAPTCHA,但这些变得越来越不可靠。您可以更进一步,使用验证类为每个字段设置规则以及每个字段中允许包含哪些类型的数据。

表单很容易操作,因此如果您希望表单提交具有任何完整性,您应该在服务器端进行验证。客户端验证并没有什么坏处,只是将其用于用户体验目的,而不是确保数据完整性。

于 2012-08-07T16:53:58.890 回答