我有一个在成功提交后发送电子邮件的 Ajax 表单。这在我的本地环境中没有任何问题。当我计划使用该页面时,我需要为来自表单的数据添加某种形式的清理,主要是为了防止邮件标题注入。
为此,我使用以下功能:
// see http://www.erich-kachel.de/?p=26 for details
function QB_SECURE_MAIL_PARAM($param_ = '', $level_ = 2) {
unset($filtered);
/* replace until done */
while ($param_ != $filtered || !isset($filtered)) {
if (isset($filtered)) {
$param_ = $filtered;
}
$filtered = preg_replace(
"/(Content-Transfer-Encoding:|MIME-Version:|content-type:|" .
"Subject:|to:|cc:|bcc:|from:|reply-to:)/ims", "", $param_);
}
unset($filtered);
if ($level_ >= 2) {
/* replace until done */
while ($param_ != $filtered || !isset($filtered)) {
if (isset($filtered)) {
$param_ = $filtered;
}
$filtered = preg_replace(
"/(%0A|\\\\r|%0D|\\\\n|%00|\\\\0|%09|\\\\t|%01|%02|%03|%04|%05|" .
"%06|%07|%08|%09|%0B|%0C|%0E|%0F|%10|%11|%12|%13)/ims", "", $param_);
}
}
return $param_;
}
例如,给出了以下代码段:
$headers = "From: " . QB_SECURE_MAIL_PARAM($from);
mail(QB_SECURE_MAIL_PARAM($recipient),
QB_SECURE_MAIL_PARAM($subject),
QB_SECURE_MAIL_PARAM($message, 1),
$headers);
在我的代码中,看起来像这样:
$email = QB_SECURE_MAIL_PARAM( $email );
$name = QB_SECURE_MAIL_PARAM( $name );
$message = QB_SECURE_MAIL_PARAM( $message , 1 );
$header = "MIME-Version: 1.0" . "\r\n";
$header .= "Content-type: text/html; charset=utf-8" . "\r\n";
$header .= "Content-Transfer-Encoding: quoted-printable" . "\r\n";
$header .= "Reply-To:" . $email . "\r\n";
$header .= "From: myForm <noreply@form.net>" . "\r\n";
mail ( "my.mail@mail.com" , "You have a message from " . $name . " waiting for you" , $message , $header );
邮件被发送,但在 AJAX 中error
事件被触发。为什么?
我再说一遍:没有这个QB_SECURE_MAIL_PARAM
功能一切正常,所以问题就在那里。