PHP e-mail 注入
未经授权的用户可以在代码表头插入数据
#在e-mail的message部分写入:
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com
使用PHP过滤器,检测表单中email字段
function spamcheck($field)
{
//FILTER_SANITIZE_EMAIL 从字符串中删除电子邮件的非法字符
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
//FILTER_VALIDATE_EMAIL 验证电子邮件地址
if(filter_var($field, FILTER_VALIDATE_EMAIL))
return TRUE;
else
return FALSE;
}
if (isset($_REQUEST['email']))
{//if "email" is filled out, proceed
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
else
{//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
}
else
{//if "email" is not filled out, display the form
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}