-1

I've been reading into php mail injection and possible security risks. I've decided to control most of this via a function and simply pass in the from email and contact message.

just wondered how secure this was and does it prevent any sort of injection?

//contact form
function sendContactForm($contactEmail, $contactMessage) {

    $to = "mysite@mysite.com";
    $from = "mysite@mysite.com";

    $replyTo = filter_var($contactEmail, FILTER_VALIDATE_EMAIL);

    $subject = "Contact Form Email";
    $message = $contactMessage;

    $headers  = "From: " . $from . "\r\n"; 
    $headers  = "Reply-To:" . $replyTo . "\r\n";
    $headers .= "Content-type: text/html\r\n"; 

    $success = mail($to, $subject, $message, $headers);

}
4

1 回答 1

1

这不是很安全:用户可以很容易地在$contactMessage.

我的建议是使用htmlentities(), 来转换实体中的字符(如果可能)。

您也可以使用strip_tags(),它返回一个没有 HTML 标记的字符串。

于 2013-05-03T11:26:20.323 回答