PHP 安全邮件

最新推荐文章于 2024-07-10 21:39:46 发布
最新推荐文章于 2024-07-10 21:39:46 发布
阅读量911 收藏
点赞数
文章标签: php email input header insert function

There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。

PHP E-mail Injections
PHP 如何运行E-mail Injections

First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:

<html>
<body>
<?php
if (isset(
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


     
     


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





     
     

            
<html>
<body>

            
___FCKpd___1

            
</body>
</html>

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





     
     

            
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


     
     


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





     
     

            
<html>
<body>

            
<?php
function spamcheck($field)
  {
//eregi() performs a case insensitive regular expression match
  if(eregi("to:",$field) || eregi("cc:",$field)) 
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }

            
//if "email" is filled out, send email
if (isset(
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


          
          


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





          
          

            
<html>
<body>

            
<?php
if (isset(
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
</body>
</html>

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
<html>
<body>

            
<?php
function spamcheck($field)
  {
//eregi() performs a case insensitive regular expression match
  if(eregi("to:",$field) || eregi("cc:",$field)) 
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }

            
___FCKpd___6

            
</body>
</html>

            



REQUEST['email']))
//if "email" is filled out, send email
  {
  //send email
  $email = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email'] ; 
  $subject = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['subject'] ;
  $message = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['message'] ;
  mail("someone@example.com", "Subject: $subject",
  $message, "From: $email" );
  echo "Thank you for using our mail form";
  }
else
//if "email" is not filled out, display the form
  {
  echo "<form method='post' action='mailform.php'>

  Email: <input name='email' type='text' /><br />
  Subject: <input name='subject' type='text' /><br />
  Message:<br />
  <textarea name='message' rows='15' cols='40'>

  </textarea><br />
  <input type='submit' />
  </form>";
  }
?>

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





          
          

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


          
          


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





          
          

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email']))
  {
  //check if the email address is invalid
  $mailcheck = spamcheck(
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


          
          


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





          
          

            
<html>
<body>

            
<?php
if (isset(
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
</body>
</html>

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
<html>
<body>

            
<?php
function spamcheck($field)
  {
//eregi() performs a case insensitive regular expression match
  if(eregi("to:",$field) || eregi("cc:",$field)) 
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email']))
//if "email" is filled out, send email
  {
  //send email
  $email = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email'] ; 
  $subject = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['subject'] ;
  $message = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['message'] ;
  mail("someone@example.com", "Subject: $subject",
  $message, "From: $email" );
  echo "Thank you for using our mail form";
  }
else
//if "email" is not filled out, display the form
  {
  echo "<form method='post' action='mailform.php'>

  Email: <input name='email' type='text' /><br />
  Subject: <input name='subject' type='text' /><br />
  Message:<br />
  <textarea name='message' rows='15' cols='40'>

  </textarea><br />
  <input type='submit' />
  </form>";
  }
?>

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





          
          

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


          
          


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





          
          

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email']);
  if ($mailcheck==TRUE)
    {
    echo "Invalid input";
    }
  else
    { 
    //send email
    $email = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


          
          


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





          
          

            
<html>
<body>

            
<?php
if (isset(
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
</body>
</html>

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
<html>
<body>

            
<?php
function spamcheck($field)
  {
//eregi() performs a case insensitive regular expression match
  if(eregi("to:",$field) || eregi("cc:",$field)) 
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email']))
//if "email" is filled out, send email
  {
  //send email
  $email = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email'] ; 
  $subject = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['subject'] ;
  $message = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['message'] ;
  mail("someone@example.com", "Subject: $subject",
  $message, "From: $email" );
  echo "Thank you for using our mail form";
  }
else
//if "email" is not filled out, display the form
  {
  echo "<form method='post' action='mailform.php'>

  Email: <input name='email' type='text' /><br />
  Subject: <input name='subject' type='text' /><br />
  Message:<br />
  <textarea name='message' rows='15' cols='40'>

  </textarea><br />
  <input type='submit' />
  </form>";
  }
?>

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





          
          

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


          
          


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





          
          

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email'] ; 
    $subject = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


          
          


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





          
          

            
<html>
<body>

            
<?php
if (isset(
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
</body>
</html>

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
<html>
<body>

            
<?php
function spamcheck($field)
  {
//eregi() performs a case insensitive regular expression match
  if(eregi("to:",$field) || eregi("cc:",$field)) 
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email']))
//if "email" is filled out, send email
  {
  //send email
  $email = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email'] ; 
  $subject = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['subject'] ;
  $message = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['message'] ;
  mail("someone@example.com", "Subject: $subject",
  $message, "From: $email" );
  echo "Thank you for using our mail form";
  }
else
//if "email" is not filled out, display the form
  {
  echo "<form method='post' action='mailform.php'>

  Email: <input name='email' type='text' /><br />
  Subject: <input name='subject' type='text' /><br />
  Message:<br />
  <textarea name='message' rows='15' cols='40'>

  </textarea><br />
  <input type='submit' />
  </form>";
  }
?>

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





          
          

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


          
          


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





          
          

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['subject'] ;
    $message = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


          
          


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





          
          

            
<html>
<body>

            
<?php
if (isset(
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
</body>
</html>

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
<html>
<body>

            
<?php
function spamcheck($field)
  {
//eregi() performs a case insensitive regular expression match
  if(eregi("to:",$field) || eregi("cc:",$field)) 
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email']))
//if "email" is filled out, send email
  {
  //send email
  $email = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email'] ; 
  $subject = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['subject'] ;
  $message = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


               
               


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





               
               

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





               
               

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


               
               


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





               
               

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['message'] ;
  mail("someone@example.com", "Subject: $subject",
  $message, "From: $email" );
  echo "Thank you for using our mail form";
  }
else
//if "email" is not filled out, display the form
  {
  echo "<form method='post' action='mailform.php'>

  Email: <input name='email' type='text' /><br />
  Subject: <input name='subject' type='text' /><br />
  Message:<br />
  <textarea name='message' rows='15' cols='40'>

  </textarea><br />
  <input type='submit' />
  </form>";
  }
?>

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





          
          

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


          
          


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





          
          

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['message'] ;
    mail("someone@example.com", "Subject: $subject",
    $message, "From: $email" );
    echo "Thank you for using our mail form";
    }
  }
else
//if "email" is not filled out, display the form
  {
  echo "<form method='post' action='mailform.php'>

  Email: <input name='email' type='text' /><br />
  Subject: <input name='subject' type='text' /><br />
  Message:<br />
  <textarea name='message' rows='15' cols='40'>

  </textarea><br />
  <input type='submit' />
  </form>";
  }
?>

            
___FCKpd___7

            



REQUEST['email']))
//if "email" is filled out, send email
  {
  //send email
  $email = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


     
     


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





     
     

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





     
     

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


     
     


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





     
     

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['email'] ; 
  $subject = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


     
     


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





     
     

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





     
     

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


     
     


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





     
     

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['subject'] ;
  $message = 
There is a weakness in the PHP e-mail script in the previous chapter.
如果运用前一章讲到的PHP邮件发送脚本发送邮件的话,将很不安全。


     
     


PHP E-mail Injections
PHP 如何运行E-mail Injections


First, look at the PHP code from the previous chapter:
首先,我们先来看一下上一章讲到的PHP代码:





     
     

            
<html>
<body>

            
___FCKpd___1

            
___FCKpd___2

            




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。


What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?





     
     

            
___FCKpd___3

            




The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。


     
     


PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections


The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。


The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:





     
     

            
___FCKpd___4

            
___FCKpd___5

            
___FCKpd___6

            
___FCKpd___7

            



REQUEST['message'] ;
  mail("someone@example.com", "Subject: $subject",
  $message, "From: $email" );
  echo "Thank you for using our mail form";
  }
else
//if "email" is not filled out, display the form
  {
  echo "<form method='post' action='mailform.php'>

  Email: <input name='email' type='text' /><br />
  Subject: <input name='subject' type='text' /><br />
  Message:<br />
  <textarea name='message' rows='15' cols='40'>

  </textarea><br />
  <input type='submit' />
  </form>";
  }
?>
___FCKpd___2

The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
上述代码的问题就是未被授权的用户也可以通过输入表单向邮件标题[mail header]中插入数据信息。

What happens if the user adds the following text to the email input field in the form?
如果用户将下面的文本添加到表单中的email输入框中,将会发生什么情况呢?

___FCKpd___3

The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
Mail()函数像往常一样将上述的文本添加到邮件标题中。现在标题中含有Cc:,Bcc以及To:这样的附加域[extra field]。当用户点击提交按钮时,e-mail将会被发送到上述所有的地址中。

PHP Stopping E-mail Injections
PHP如何终止运行E-mail Injections

The best way to stop e-mail injections is to validate the input.
终止运行injections的最佳方法就是去验证输入的信息。

The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
下面这段代码和前一章提到过的相同,但是现在,我们已经在其中加入了用于检验表单中E-mail域的“信息输入验证器”,具体如下:

___FCKpd___4
___FCKpd___5
___FCKpd___6
___FCKpd___7

abcvw
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
[网络安全提高篇] 一一二.DataCon Coremail邮件安全竞赛之钓鱼邮件识别及分类
杨秀璋的专栏
10-26 2万+
这是作者2020年参加清华大学、Coremail、奇安信DataCon举办的比赛,主要是关于钓鱼和异常邮件识别研究。非常感谢举办方让我们学到了新知识,DataCon也是我比较喜欢和推荐的大数据安全比赛,这篇文章2020年10月就进了我的草稿箱,但由于小珞珞刚出生,所以今天才发表,希望对您有所帮助!感恩同行,不负青春。
PHP-基础-2
dengjiyu8406的博客
11-30 188
cookie cookie 常用于识别用户。cookie 是服务器留在用户计算机中的小文件。每当相同的计算机通过浏览器请求页面时,它同时会发送 cookie。通过 PHP,您能够创建并取回 cookie 的值。 setcookie() 函数用于设置 cookie。 注释:setcookie() 函数必须位于 <html> 标签之前。 <?php setcookie("...
PHP 安全的电子邮件
lbuskeep的专栏
07-25 777
在上一节中的 PHP e-mail 脚本中,存在着一个漏洞。PHP E-mail 注入首先,请看上一节中的 PHP 代码: <?php if (isset($_REQUEST['email'])) //if "email" is filled out, send e
学习PHP——高级(总)
lb569484787的博客
10-17 543
一、PHP多维数组 多维数组是包含一个或多个数组的数组。 在多维数组中,主数组中的每一个元素也可以是一个数组,子数组中的每一个元素也可以是一个数组。 <?php $sites = array ( "runoob"=>array ( "菜鸟教程", "http://www.runoob.com" ), "go...
PHP实现邮件发送
AOP_LIU的博客
06-16 4699
网站中需要添加一个使用自己的域名作为发件人邮件地址的自动发送邮件的方法,用于诸如给用户发送验证码、通知信息等。 那么,PHP下这种使用自己的域名作为发送邮件邮件地址的方法如何实现呢? PHP环境下,是提供了发送邮件的函数mail()的,不过该函数要求服务器支持sendmail或者必须设置一台不需要中继的邮件发送服务器,但现在要找到一台不需要身份验证的邮件发送中继几乎不可能,所以使用ma...
php 开源邮件系统,20款 Web Mail PHP开源项目
weixin_29865939的博客
03-10 2756
如今互联网巨头提供的企业应用套件中邮件托管是必备服务,而且还始终秉承免费的优良光荣传统,最为让人熟识的恐怕非“瘟多死里屋管理中心”和“股沟企业应用”莫属了。既然有现成的、优质的、免费的服务,那为什么我们还要自己架设邮件系统呢?理由很简单——蛋疼。当然,这是个玩笑,我相信的确有需要自己架设邮件系统的朋友,具体原因和出发点我想也会是百般千种,具体的实例我暂时拿不出来,但是可以尝试着去反向求证,以下将要...
php+邮件案例,php发送邮件-亲测成功案例
weixin_33586594的博客
03-27 1911
文章目录php发送邮件-亲测成功案例php发送邮件-亲测成功案例我的环境服务器:iisphp:php7.2.5操作系统:windows操作步骤先准备好线上能php的iis服务器准备好QQ邮箱开户这个,截图错了准备好sendMail.zip解压到某个目录(window发送邮箱需要这个exe程序)1. sendMail解压后的sendMail.ini需要配置成如下内容; configuration f...
Web安全简介 PHP
tusi
03-26 3210
背景 开发安全的应用程序十分重要,有漏洞的程序很容易被入侵,入侵后会造成无法承担的损失。 参考文章 Web 安全 读书笔记 [译] 2018 PHP 应用程序安全设计指北
使用PHPMailer实现PHP通过QQ邮箱发邮件功能
weixin_41604317的博客
09-29 1495
使用PHPMailer实现PHP通过QQ邮箱发邮件功能
PHP实现发送邮件
热门推荐
coco1118的博客
01-24 1万+
不同类型的邮箱发送邮件的方式也是不同的。 下面我们就先给大家举例介绍qq邮箱开启发送邮件服务的方法。 首先我们登录qq邮箱,打开设置,选择帐户。 然后在帐户下,找到如下所示的开启服务部分。 开启服务中,前两个选项均可实现邮件发送服务。点击开启,会出现验证提示。 确认验证,成功开启POP3/SMTP服务后,就会出现以下授权码。 那么此授权码就可以用于PHP实现邮件发送的开发方法中。 注: 每次开...
php 邮件发送问题解决
12-18
PHPMailer是一个广泛使用的开源库,能够支持SMTP验证、SSL/TLS加密等特性,使得发送邮件更为安全可靠。以下将详细介绍如何使用PHPMailer进行邮件发送以及如何获取用户的登录IP。 **一、PHPMailer的使用** 1. **...
php使用QQ邮箱发送邮件
07-13
PHP编程中,使用QQ邮箱发送邮件是一种常见的需求,尤其对于个人网站或小型项目来说,因为QQ邮箱提供了免费且易于配置的SMTP服务。本篇文章将详细介绍如何在PHP中利用QQ邮箱进行邮件发送,并涵盖相关知识点。 首先...
分享php邮件管理器
12-19
PHP邮件管理器】是一个用于管理和发送邮件的系统,它具备多用户权限管理,支持文本和HTML格式的邮件,以及订阅、退订功能。以下是该系统的关键知识点: 1. **需求分析**: - **管理员功能**:管理员需能够创建和...
一个php安全过滤类库
05-04
"一个PHP安全过滤类库"是专门为开发者设计的工具,旨在帮助他们在处理用户输入数据时防止各种安全威胁。这类库通常包含一系列预定义的函数或类方法,用于对输入数据进行验证、清理和转义,以消除潜在的SQL注入、跨站...
PHP发送邮件DEMO
03-07
PHPMailer是一个广泛使用的PHP邮件发送库,它支持SMTP协议,可以更好地模拟各种邮件客户端,处理复杂的邮件格式和安全问题。要使用PHPMailer,首先需要将其下载到项目中,解压后包含的文件通常有`class....
PHP编程开发工具有哪些?
Pythonit教程网
07-10 1008
PHP的开发工具种类繁多,涵盖了从集成开发环境(IDE)、代码编辑器、调试器到版本控制工具和数据库管理工具等多个方面。以下是一些常见的PHP开发工具:### 1. 集成开发环境(IDE)* **PhpStorm**:由JetBrains开发的全功能PHP IDE,提供了代码自动完成、调试器、版本控制工具等丰富的功能,支持多种框架和技术。PhpStorm拥有最现代化的功能集,可以快速便捷地进行网页开发,并支持所有PHP语言功能,是专业PHP开发的优选工具。 * **Eclipse PDT**:基于Eclips
什么是RPC?有哪些RPC框架?
yuiezt的专栏
07-09 1817
RPC(Remote Procedure Call,远程过程调用)是一种允许运行在一台计算机上的程序调用另一台计算机上子程序的技术。这种技术屏蔽了底层的网络通信细节,使得程序间的远程通信如同本地调用一样简单。RPC机制使得开发者能够构建分布式计算系统,其中不同的组件可以分布在不同的计算机上,但它们之间可以像在同一台机器上一样相互调用。
【Docker-compose】搭建php 环境
最新发布
AllenIverrui的博客
07-10 974
ElasticSearch是一款非常强大的、基于Lucene的开源搜索及分析引擎;它是一个实时的分布式搜索分析引擎,它能让你以前所未有的速度和规模,去探索你的数据。它被用作全文检索结构化搜索分析以及这三个功能的组合:Wikipedia使用 Elasticsearch 提供带有高亮片段的全文搜索,还有 search-as-you-type 和 did-you-mean 的建议。卫报使用 Elasticsearch 将网络社交数据结合到访客日志中,为它的编辑们提供公众对于新文章的实时反馈。
PHP7.4安装使用rabbitMQ教程(windows)
qq_28546559的博客
07-09 236
1,可能报错ext-sockets * -> it is missing,在php.ini中开启sockets扩展既可。下载地址:https://pecl.php.net/package/amqp。3,修改php.ini文件,增加extension=php_amqp.dll。1,将php_amqp.dll放到对应的php的ext目录下。三,安装库——php-amqplib/php-amqplib。一,检查php版本phpinfo()——下载所需扩展。
新規登録機能_PHP編1
08-04
1.登録 2.登録登録 URL 届 3.URL 、登録画面開登録 1.登録(仮登録) 2.新規会員登録(本登録)

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值