我已经为潜在客户填写了表格,以便通过电子邮件获得估算报价。我收到的电子邮件很好,一切都按我想要的方式工作。
我也有jQuery验证,我不打算发布代码片段,除非有人想看到它。它基本上回应了slideDown div框中的任何可能的错误。
我主要担心的是,它是否安全?当我让表格正常工作时,我想确保我做的一切都是正确的,然后才发现头部注射等等。所以我现在很偏执。我不希望我的愚蠢错误发送任何垃圾邮件。
我的问题是,我是否遗漏了任何重要的安全功能?是否有办法缩短代码(列出所有这些变量,我确定需要检查它们,但是当它们被给予时可以检查它们变量名?)
代码如下:
<?php
error_reporting(0);
$emailAddress = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
$csite = $_GET['csite'];
$locate = $_GET['locate'];
$describe = $_GET['describe'];
$competition = $_GET['competition'];
$ideas = $_GET['ideas'];
$require = $_GET['require'];
$target = $_GET['target'];
$time = $_GET['time'];
$budget = $_GET['budget'];
$look = $_GET['look'];
$example = $_GET['example'];
$font = $_GET['font'];
$photos = $_GET['photos'];
$pnum = $_GET['pnum'];
$cms = $_GET['cms'];
$hosting = $_GET['hosting'];
$domain = $_GET['domain'];
$features = $_GET['features'];
$extra = $_GET['extra'];
$hear = $_GET['hear'];
require "assets/class.phpmailer.php";
session_start();
$err = array();
if(!checkLen('name'))$err[]='The name field is too short or empty!';
if(!checkLen('email'))$err[]='The email field is too short or empty!'; else
if(!checkEmail($_POST['email']))$err[]='Your email is not valid!';
if(!checkLen('phone'))$err[]='You have not selected a phone!';
if(md5($_POST['verify']) != $_SESSION['verify'])$err[]='The captcha code is wrong!';
if(count($err)){
foreach($err as $one_er){
echo $one_er . "<br/>";
}
exit();
}
else
session_destroy();
//Style how the received email will look
$msg='You have been contacted by '.$_POST['name'].'<br /><br />
<table style="padding:0;margin: 0;padding: 3px;width: 100%;border: 1px solid #000000;border-collapse: collapse;border-spacing: 0;">
<tr>
<td style="width:35%;background:#1775ca;color:#FFF;padding:3px;">Question</td>
<td style="width:65%;background:#1775ca;color:#FFF;padding:3px;">Answer</td>
</tr>
<tr>
<td>Name</td><td>'.$_POST['name'].'</td>
</tr>
<tr>
<td>Email:</td><td>'.$_POST['email'].'</td>
</tr>
<tr>
<td>Phone</td><td>'.$_POST['phone'].'</td>
</tr>
<tr>
<td>Current Website</td><td>'.$_POST['csite'].'</td>
</tr>
<tr>
<td>Location</td><td>'.$_POST['locate'].'</td>
</tr>
<tr>
<td>Company Description</td><td>'.$_POST['describe'].'</td>
</tr>
<tr>
<td>Competition</td><td>'.$_POST['competition'].'</td>
</tr>
<tr>
<td>Ideas</td><td>'.$_POST['ideas'].'</td>
</tr>
<tr>
<td>Requirements</td><td>'.$_POST['require'].'</td>
</tr>
<tr>
<td>Target Audience:</td><td>'.$_POST['target'].'</td>
</tr>
<tr>
<td>Time frame</td><td>'.$_POST['time'].'</td>
</tr>
<tr>
<td>Budget</td><td>'.$_POST['budget'].'</td>
</tr>
<tr>
<td>Desired Look</td><td>'.$_POST['look'].'</td>
</tr>
<tr>
<td>Examples of Inspiration</td><td>'.$_POST['example'].'</td>
</tr>
<tr>
<td>Fonts/Colours</td><td>'.$_POST['font'].'</td>
</tr>
<tr>
<td>Images</td><td>'.$_POST['photos'].'</td>
</tr>
<tr>
<td>Number of Pages</td><td>'.$_POST['pnum'].'</td>
</tr>
<tr>
<td>CMS</td><td>'.$_POST['cms'].'</td>
</tr>
<tr>
<td>Hosting</td><td>'.$_POST['hosting'].'</td>
</tr>
<tr>
<td>Domain</td><td>'.$_POST['domain'].'</td>
</tr>
<tr>
<td>Features</td><td>'.$_POST['features'].'</td>
</tr>
<tr>
<td>Extra</td><td>'.$_POST['extra'].'</td>
</tr>
<tr>
<td>Origin</td><td>'.$_POST['hear'].'</td>
</tr>
</table>
You can contact '.$_POST['name'].' via the email '.$_POST['email'].' <br />
The recorded IP is '.$_SERVER['REMOTE_ADDR'].';
';
$mail = new PHPMailer();
$mail->IsMail();
$mail->AddReplyTo($_POST['email'], $_POST['name']);
$mail->AddAddress($emailAddress);
$mail->SetFrom($_POST['email'], $_POST['name']);
$mail->Subject = "You've been contacted by contacted by ".$_POST['name']."";
$mail->MsgHTML($msg);
$mail->Send();
unset($_SESSION['post']);
echo "Message sent!";
// Check Field length
function checkLen($str,$len=3){
return isset($_POST[$str]) && mb_strlen(strip_tags($_POST[$str]),"utf-8") > $len;
}
// Check email validation
function checkEmail($str){
return preg_match("/^[\.A-z0-9_\-\+]+[@][A-z0-9_\-]+([.][A-z0-9_\-]+)+[A-z]{1,4}$/", $str);
}
?>
我在整个Stackoverflow中看过,PHPMailer上有很多东西,但主要与它不起作用 - 矿井工作,但只需要一个有良好眼光和更好理解的人要么向我保证它没关系或让我知道什么也许可以改进!
先谢谢你们!