PHP联系表单在所有领域提交1

Question

我最近为我的自由客户开发了一个网站，在他们的网站上有联系表格和估计请求表格。

每天都会提交两份表格并通过电子邮件发送到指定的电子邮件地址。但是，提交的表单显然不是来自真实用户，这是因为所有字段都包含数字1.例如，名称字段将是Name：1，地址字段将是Address：1。对于所有输入文本字段，甚至是无线电和复选框表单字段，重复数字1。

下面是我用来提交Request for Estimate表单的PHP文件的副本。

<?
$subject="Associated Sennott Contractors Request For Estimate From:".$_GET['firstname'];
$headers= "From: ".$_GET['email']."\n";
$headers.='Content-type: text/html; charset=iso-8859-1';
mail("email@gmail.com", $subject,  "
    <html>
        <head>
            <title>Associated Sennott Contractors Request For Estimate</title>
    </head>
<body>
    <p><strong>Associated Sennott Contractors Request For Estimate</strong></p>
    <p>
        First Name: ".$_GET['firstname']." <br />
        Last Name: ".$_GET['lastname']." <br />
        Company Name: ".$_GET['company']." <br />
        Address 1: ".$_GET['address1']." <br />
        Address 2: ".$_GET['address2']." <br />
        City: ".$_GET['city']." <br />
        State: ".$_GET['state']." <br />
        Zip: ".$_GET['zip']." <br />
        Phone: ".$_GET['phone']." <br />
        Fax: ".$_GET['fax']." <br />
        Email: ".$_GET['email']." <br /><br />

        <strong>Property Type:</strong><br />
        Residential Single Family: ".$_GET['singlefamily']." <br />
        Residential Multi-Family: ".$_GET['multifamily']." <br />
        Residential Out-Building : ".$_GET['outbuilding']." <br />
        Commercial Office: ".$_GET['commercial']." <br />
        Retail Store: ".$_GET['retail']." <br />
        Restaurant: ".$_GET['restaurant']." <br />
        Industrial Building: ".$_GET['industrial']." <br /><br />

        <strong>Requested Services:</strong><br />
        Fire, Water or Wind Damage Restoration: ".$_GET['restoration']." <br />
        Scope of Loss Estimate to Insurance Company: ".$_GET['scope']." <br />
        Smoke Odor Remediation: ".$_GET['smoke']." <br />
        Exterior Remodeling or Siding: ".$_GET['exterior']." <br />
        Interior Remodeling: ".$_GET['interior']." <br />
        Hardwood and Laminate Flooring: ".$_GET['flooring']." <br />
        Finish Carpentry: ".$_GET['carpentry']." <br />
        Demolition and Debris Removal: ".$_GET['demo']." <br />
        Exterior Decks, Patios and Fencing: ".$_GET['patio']." <br />
        Other: ".$_GET['other']." <br /><br />

        <strong>Additional Information:</strong><br />
        Message: ".$_GET['info']."
    </p>  
</body>
</html>" , $headers);
header( 'Location: thankyou.html' ) ;
?>

您也可以点击此处的链接查看PHP代码：http://sennottcontractors.com/home-repair-estimate/quote-code.html

然后，您可以查看以下实际表单的HTML代码：

<!DOCTYPE>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Request An Estimate Form</title>
<script type="text/javascript">
function formSubmit()
{
document.getElementById("estimate-form").submit();
}
</script>

</head>
<body>
<fieldset>
<legend><h3>Request a Home Restoration Estimate</h3></legend>
    <form id="estimate-form" name="estimate-form" target="_parent" method="get" action="quote.php" onsubmit='return formValidator()'>
        <p><strong>Contact Information</strong></p>
            <p>First Name: *<br />
            <input type="text" size="40" name="firstname" id="firstname" /></p>
            <p>Last Name: *<br />
            <input type="text" size="40" name="lastname" id="lastname" /></p>
            <p>Company Name:<br />
            <input type="text" size="40" name="company" id="company" /></p>
            <p>Address 1: *<br />
            <input type="text" size="40" name="address1" id="address1" /></p>
            <p>Address 2:<br />
            <input type="text" size="40" name="address2" id="address2" /></p>
            <p>City: *<br />
            <input type="text" size="30" name="city" id="city" /></p>
            <p>State: *<br />
            <input type="text" size="5" name="state" id="state" /></p>
            <p>Zip: *<br />
            <input type="text" size="10" name="zip" id="zip" /></p>
            <p>Phone: *<br />
            <input type="text" size="20" name="phone" id="phone" /></p>
            <p>Fax:<br />
            <input type="text" size="20" name="fax" id="fax" /></p>
            <p>Email: *<br />
            <input type="text" size="40" name="email" id="email" /></p>
        <br />
        <p><strong>Property Type</strong> *</p>
            <p><input type="checkbox" name="singlefamily" id="singlefamily"/> Residential Single Family</p>
            <p><input type="checkbox" name="multifamily" id="multifamily"/> Residential Multi-Family <em>(Condominium, apartment, town house, ect)</em></p>
            <p><input type="checkbox" name="outbuilding" id="outbuilding"/> Residential Out-Building <em>(Garage, shed, ect)</em></p>
            <p><input type="checkbox" name="commercial" id="commercial"/> Commercial Office</p>
            <p><input type="checkbox" name="retail" id="retail"/> Retail Store</p>
            <p><input type="checkbox" name="restaurant" id="restaurant"/> Restaurant</p>
            <p><input type="checkbox" name="industrial" id="industrial"/> Industrial Building</p>
        <br />
        <p><strong>Requested Services</strong> *</p>
            <p><input type="checkbox" name="restoration" id="restoration"/> Fire, Water or Wind Damage Restoration</p>
            <p><input type="checkbox" name="scope" id="scope"/> Scope of Loss Estimate to Insurance Company</p>
            <p><input type="checkbox" name="smoke" id="smoke"/> Smoke Odor Remediation</p>
            <p><input type="checkbox" name="exterior" id="exterior"/> Exterior Remodeling or Siding</p>
            <p><input type="checkbox" name="interior" id="interior"/> Interior Remodeling</p>
            <p><input type="checkbox" name="flooring" id="flooring"/> Hardwood and Laminate Flooring</p>
            <p><input type="checkbox" name="carpentry" id="carpentry"/> Finish Carpentry</p>
            <p><input type="checkbox" name="demo" id="demo"/> Demolition and Debris Removal</p>
            <p><input type="checkbox" name="patio" id="patio"/> Exterior Decks, Patios and Fencing</p>
            <p><input type="checkbox" name="other" id="other"/> Other</p>
        <br />
    <p><strong>Additional Information</strong><br />
    Please provide any information regarding details of your home restoration project or additional information to your requested services.</p>
    <p><textarea rows="10" cols="65" id="info" name="info"></textarea></p>
    <button type="submit" id="submit" onclick="formSubmit()">Submit</button>
    </form>
    <p>* Required Fields</p>
</fieldset>
</body>
</html>

使用上述PHP文件和代码的请求和估算表单，您可以通过以下链接查看：http://sennottcontractors.com/home-repair-estimate/index.html

同样，申请预估表格和联系表格每天都会每天提交一次，每个表格字段中的数字为1。

我的猜测是这可能是PHP文件本身的问题，或者它可能是来自托管网站服务器端的问题。

请帮助!!!

Answer 1

您的表单在技术上没有任何问题。你自己说了问题的原因：“...提交的表格显然不是真正的用户......”。因此，解决方案是使您的表单反僵尸。在专业网站管理员网站上查看此问题，了解如何执行此操作：Make your site anti-bot?

Answer 2

此问题的一部分是您需要使用表单现时或“令牌”。

form.php的

<?php
session_start();

$_SESSION['token'] = md5(mt_rand() . unique_id('form', TRUE));

...

?>
<form>
<input type="hidden" value="<?php print $_SESSION['token']; ">
...
</form>

process.php

<?php
session_start();

if($_SESSION['token'] !== $_POST['token'])
{
    die('They did not load the form!');
}

...

(validation)

...

$db->insert($record);

Answer 3

您没有进行任何验证。你期待什么？

任何人都可以抓住表单字段，创建URL（因为您使用的是GET而不是POST），如果他们愿意，可以将其提交给他们。您可能遇到的是一个机器人试图弄清楚它是否可以劫持您的表单以发送要发送的电子邮件。

您应该做的是切换到使用POST并检查$_SERVER['HTTP_REFERER']变量以确保它来自您的表单（至少）。您也可以使用CAPTCHA，但这些变得越来越不可靠。您可以进一步使用验证类来为每个字段设置规则，以及允许每个字段中包含哪种数据。

表单很容易被操作，因此如果您希望表单提交中有任何完整性，那么您应该在服务器端进行验证。客户端验证不会受到影响，但仅用于用户体验目的，而不是确保数据完整性。