2

多年来,我一直在使用相同的 php 脚本从联系表单发送电子邮件。但是当我的网络服务器升级到 php 5.3 时,对 eregi 的调用导致显示已弃用的错误。

在谷歌搜索后,我了解到我可以使用 stristr 而不是 eregi。

当我进行这个简单的切换时,一切正常,但我不是 php 向导,所以我想知道我的脚本是否仍然可以防止头注入。

有人可以让我放心并确认此脚本是安全的(或至少足够安全)以用于从联系表发送电子邮件吗?

以下是使用 stristr 的当前脚本的示例:

    <?

$to="myemail@gmail.com";

// the $Name is the PHP variable, the _Post['Name'] should match the name of the input boxes in the form

$Name=$_POST['Name'];

$Email=$_POST['Email'];

$Phone=$_POST['Phone'];

$Message=$_POST['Message'];

// you can format the email anyway you want.

$message="Form submitted by $Name

Applicant Information:\n

Name: $Name

Email: $Email

Phone: $Phone

Message: $Message";

// Check for script HiJack

$arBadStr = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:");

foreach($_POST as $tName => $tVal){

foreach($arBadStr as $tStr){

if(stristr($tStr, $tVal)){

$fSub = "Failed: Header Injection.";

reportError($fSub); 

}}}





if(mail($to,"mywebsite.com contact Form Submission",$message,"From: $Name <$Email>")) {

echo "Thank you $Name for your interest. We will contact you shortly";

} else {

echo "There was a problem sending the mail. Please check that you filled in the form correctly.";

}



// Report error function called when test detects hijacking. Mails report to webmaster and kills process.

function reportError($fSub) {

while(list($name, $value) = each($_POST)) {

$eBody .= "$name : $value \n\r"; }

mail( "myemail@gmail.com", $fSub, $eBody, "From: Webmaster <myemail@gmail.com>");

exit(header("Location: http://www.mywebsite.com")); }

?>

更新

基于 cryptic 的慷慨帮助,这就是我的新脚本的样子。如您所见,我已经删除了一些标题验证功能,而不是简单地清理输入字段。

    <?
$to="myemail@gmail.com";

// the $Name is the PHP variable, the _Post['Name'] should match the name of the input boxes in the form

$Name = str_replace(array("\n", "\r"), '', $_POST['Name']);
$Email = str_replace(array("\n", "\r"), '', $_POST['Email']);
$Phone = str_replace(array("\n", "\r"), '', $_POST['Phone']);
$Message = str_replace(array("\n", "\r"), '', $_POST['Message']);


function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }

$Name = clean_string($Name);
$Email = clean_string($Email);
$Phone = clean_string($Phone);
$Message = clean_string($Message);


// you can format the email anyway you want.

$message="Form submitted by $Name

Applicant Information:\n

Name: $Name

Email: $Email

Phone: $Phone

Message: $Message";


if(mail($to,"mywebsite.com contact Form Submission",$message,"From: $Name <$Email>")) {

echo "Thank you $Name for your interest. We will contact you shortly";

} else {

echo "There was a problem sending the mail. Please check that you filled in the form correctly.";

}
?>
4

1 回答 1

4

您尝试将 BCC、CC 等标头列入黑名单,但无法阻止 TO、FROM。

RFC 822 第 16 页第 4.1 节中指出:

该规范允许大多数字段多次出现。除非另有说明,否则此处未指定它们的解释,并且不鼓励使用它们。

因此,攻击者将能够操纵消息以添加其他收件人和发件人。您实际上应该只检查换行符和回车符,或者只是通过删除 \r 和 \n 字符来清理所有 $_POST 值。

<?php

function clean_string($string) 
{
    return str_replace(array("\n", "\r"), '', $string);
}

$to = 'myemail@gmail.com';

// the $Name is the PHP variable, the _Post['Name'] should match the name of the input boxes in the form
$Name    = clean_string($Name);
$Email   = clean_string($Email);
$Phone   = clean_string($Phone);
$Message = clean_string($Message);

// you can format the email anyway you want.
$message = "Form submitted by $Name

Applicant Information:\n

Name: $Name

Email: $Email

Phone: $Phone

Message: $Message";

if (mail($to, 'mywebsite.com contact Form Submission', $message, "From: $Name <$Email>"))
{
    echo 'Thank you ' . htmlspecialchars($Name) . ' for your interest. We will contact you shortly';
}
else
{
    echo "There was a problem sending the mail. Please check that you filled in the form correctly.";
}

?>
于 2012-12-08T01:40:26.833 回答