0

I've created a tellafriend form for a CMS. I need some hidden fields in the form so that I can pass homepage address, link to logo, and the web admin email address. However, the value of the hidden fields is not passed to my mail file. You could also try the form on my website http://www.zoosh.me/tellafriend.php Is there a bug in php or something is wrong with my files? I would really appreciate your help guys.

Thanks, Ovi

<form id="tellafriend" method="post" action="mail.php">
 <fieldset>
  <img id="telllogo" width="170" alt="Logo" src="/perch/resources/1253956138myself-w170.jpg"/>
  <input width="170" type="hidden" alt="Logo" value="/perch/resources/1253956138myself-w170.jpg" name="logo"/>
  <input type="hidden" value="http://www.zoosh.me" name="webaddress"/>
  <ul class="wrapper">
   <li>
    <label class="label" for="yourname">Your Name:</label>
    <input id="yourname" class="text jquery-live-validation-on invalid" type="text" value="" name="yourname"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="youremail">Your Email:</label>
    <input id="youremail" class="text jquery-live-validation-on invalid" type="text" value="" name="youremail"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="friendsname">Friend's Name:</label>
    <input id="friendsname" class="text jquery-live-validation-on invalid" type="text" value="" name="friendsname"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="friendsemail">Friend's Email:</label>
    <input id="friendsemail" class="text jquery-live-validation-on invalid" type="text" value="" name="friendsemail"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="message">
     Your Message
     <br/>
     <small id="charLeft">150 Characters left</small>
    </label>
    <textarea id="message" class="jquery-live-validation-on invalid" cols="10" rows="3" name="message"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li class="inputSubmit">
    <input id="submit" class="submit" type="submit" value="Send"/>
   </li>
  </ul>
  <input type="hidden" value="ovime@ovidiust.com" name="adminaddress"/>
 </fieldset>
</form>

Here is the code for the mail.php file that processes the form and sends an email to my visitor's friends.

<?php
$yourname = $_POST['yourname'];
$youremail = $_POST['youremail'];
$news = $_POST['news'];
$friendsname = $_POST['friendsname'];
$friendsemail = $_POST['friendsemail'];
$adminemail = $_POST['adminemail'];
$logo = $_POST['logo'];
$webaddress = $_POST['webaddress'];
$subject = "I've found a great website!";
$headers = "From: " . strip_tags($from) . "\r\n";
$headers .= "Reply-To: " . strip_tags($from) . "\r\n";
$headers .= "BCC: contact@handinhandwithgod.com\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";

$message = $_POST['message'];


$body="<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
<title>Zoosh</title>
</head>
<body>
<table width='90%' cellpadding='0' cellspacing='0'>
<tr>
<td align='center' valign='top'>
 <table width='411' cellpadding='0' cellspacing='0'>
  <tr>
   <td><img src='http://recycledoc.com/emails/zoosh_tellafriend/tdbg.png' width='1' height='450' alt='Tdbg'></td>
   <td background='http://recycledoc.com/emails/zoosh_tellafriend/tellafriendbg.jpg' valign='top' style='padding-top:20px; padding-right:20px; padding-bottom:20px; padding-left:20px;'>
    <table width='370' cellpadding='0' cellspacing='0'>
     <tr>
      <td valign='top' width='170' style='padding-right:10px'><img src='"
      . $webaddress . $logo . "' />
      </td>
      <td valign='top' width='190' style='font-family:Helvetica,Arial,Verdana,sans-serif; font-size:12px; color:#555;'>
       <p style='margin-top:0; margin-bottom:0;'>
        <span style='font-weight:bold;'>From:</span>" . $yourname .         "<br>
        <span style='font-weight:bold;'>Email:</span> <a style='text-decoration:none; color:#6927B2;' href='mailto:" . $youremail . "'>" . $youremail . "</a></p>
       <p style='padding-top:200px;'>" . $message .

       "</p>
       <a href='" . $webaddress . "'><img src='http://recycledoc.com/emails/zoosh_tellafriend/visit.png' width='120' height='20' alt='Visit'></a>
      </td>
     </tr>
    </table>
   </td>
  </tr>
 </table>
</td>
</tr>
</table>

</body>
</html>";

if (mail($friendsemail, $subject, $body, $headers)) {
echo "Thank you for telling your friend about my website. <a href='#' id='goback'>Click here</a> to tell another friend.";
} else {
echo "Sorry. There was a problem sending your email. Please try again!";
}

mail($adminemail, $subject, $body, $headers);
mail($youremail, $subject, $body, $headers);
4

2 回答 2

6

您正在绕过表单的正常提交过程并通过 AJAX 提交:

data: 'yourname=' + yourname + '&youremail=' + youremail + '&friendsname=' + friendsname + '&friendsemail=' + friendsemail + '&message=' + message,

这不包括徽标、网址或管理员地址,因此它们当然不会到达 PHP 脚本。

此外,您没有正确转义这些值,因此如果有人包含“&” 或其中一个字段中的其他特殊字符,它会中断。使用encodeURIComponent, 或者,因为您使用的是 jQuery 的ajax函数,只需传入一个查找并让 jQuery 为您处理:

data: {'yourname': yourname, ...

还有更多这样的逃避问题。

$headers = "From: " . strip_tags($from) . "\r\n";

Strip_tags 在这里没有用。邮件标题是纯文本;HTML 标签没有特殊含义。然而,危险的是换行符。这将允许攻击者将他们喜欢的任何标题添加到邮件中,甚至可能发送多个完全由攻击者控制的邮件。

您应该对要放入邮件标题的任何内容进行强烈消毒;尤其是非 ASCII 字符和控制字符必须被去除。

  <td valign='top' width='170' style='padding-right:10px'><img src='"
  . $webaddress . $logo . "' />

HTML 注入。$webaddress 和 $logo 可以包含引号,允许攻击者插入任意 HTML 和 JavaScript 代码。htmlspecialchars($s, ENT_QUOTES)每次将文本放入 HTML 时都需要。

允许用户选择任何网址、徽标、管理员地址等也是很危险的。这是给垃圾邮件发送者的礼物:他们将提交自己的数据和消息,劫持您的网络表单以“告诉朋友”他们自己的阴茎丸,并让您的服务器被广泛封锁。如果您必须具有“告诉朋友”功能,您需要真正锁定允许的参数;只是把它们放在一个隐藏的领域是没有保护的。

于 2009-09-26T12:57:49.883 回答
1

您的 PHP 脚本访问 $_POST['adminemail'],但隐藏字段称为 adminaddress

于 2009-09-26T13:01:15.393 回答