douchungu0859
douchungu0859
2019-06-14 15:52
浏览 129
已采纳

2019如何使用PHPMailer V6.0.7和PHP从Web窗体发送多个附件

What is the current best way to send multiple attachments with PHP Mailer v6.0.7 and PHP for 2019? I have read different methods and some say that is wrong due to security issues and times are always changing. I am using a live hosting server as well. I have added Focus Point ---------------- to the code.

I have not really done anything because I am not sure what are 2019 best practices. I have read a lot of duplicates and this one might become flag as well but they're a lot of PHP code Good and Bad and which one is still the best in 2019 who knows. I will use my last working example from my other post but I want to add in attachments.

My focus is the correct PHP for uploading one file and multiple attachments the proper way, $Mail->Attachement with example and if it is really safe to load files to a live server in the temp directory and HTML code is proper for the attachments which I assume they already are.

<?php 
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;
use PHPMailer\PHPMailer\SMTP; <- This fixed most of my issues but not always required per Sychro
require 'PHPMailer/Exception.php';
require 'PHPMailer/PHPMailer.php';
require 'PHPMailer/SMTP.php';



$mail = new PHPMailer(true);

if(isset($_POST[‘submit’]))
 { <--- Added Opening

$first_name = ((isset($_POST['FirstName']))&&(!is_null($_POST['FirstName'])))? $_POST['FirstName']:'';
$last_name = ((isset($_POST['LastName']))&&(!is_null($_POST['LastName'])))? $_POST['LastName']:'';
$email = ((isset($_POST['Email']))&&(!is_null($_POST['Email'])))? $_POST['Email']:'';
$age = ((isset($_POST['Age']))&&(!is_null($_POST['Age'])))? $_POST['Age']:'';
$student = ((isset($_POST['Student']))&&(!is_null($_POST['Student'])))? $_POST['Student']:'';
$agree18 = ((isset($_POST['Agree18']))&&(!is_null($_POST['Agree18'])))? $_POST['Agree18']:'';


Focus Point ----------------
Any Security PHP Code for Uploaded Files Updated to 2019 Standards 
----------------------------


Note: Hosting Service should provide this infor to you.
----------    
$mail->isSMTP(); 
$mail->SMTPDebug = 2; // 0 = off (for production use) - 1 = client messages - 2 = client and server messages
$mail->Host = 'mail.email.org'; 
$mail->SMTPSecure = 'ssl'; <-Could be TLS 
$mail->Port = 465; <- Could be 587 or 25
$mail->SMTPAuth = true;
$mail->Username = 'Mail@email.org'; <-To access your Hosting email
$mail->Password = 'Password'; 

 /* Set the mail sender. */
$mail->setFrom('Mail@email.org'); <- From Myself
$mail->addAddress('Mail@email.org'); <-To Myself

$mail->Subject = 'Research Requested';

$mail->isHTML(TRUE);
$mail->Body = '<html> First Name: '.$first_name.' Last Name:  '.$last_name.' Email: '.$email.' Age: '.$age.' Student: '.$student.' Agree18: '.$agree18.'

';

Focus Point ----------------
$mail->addAttachment('File Path', 'Type');  
----------------------------
$mail->send()
} <--Added Closing

?>

<!DOCTYPE html>
<html lang="en">
<head>

</head>
<body>

<div class="container">

<form  method="POST" enctype=multipart/form-data action="#"> <--added #  

<h4>Want to Learn More? Please fill out the form below.</h4>
 <div class="form-group">
<label for="FirstName">First Name:</label>
<input type="text" class="form-control" name="FirstName" id="FirstName" placeholder="First Name" required="">
</div>

<div class="form-group">
<label for="LastName">Last Name:</label>
<input type="text" class="form-control" name="LastName" id="LastName" placeholder="Last Name"required="">

<div class="form-group">
<label for="Age">How old are you?</label>
<input type="text" class="form-control"  name="Age" id="Age" placeholder="Age"required="">
</div>

<div class="form-group">
<label for="Email">Email:</label>
<input type="email" class="form-control"  name="Email" id="Email" placeholder="Mail@help.org" required="">

<h4Please Select if your a Student?</h4>
<div><small class="form-text text-muted">
    Select all that apply.

<div class="custom-control custom-checkbox">
<input type="checkbox" class="custom-control-input"  name="Student" id="Student" value="Yes" >
<label class="custom-control-label" for="Student">Student</label>

Focus Point ----------------
<h4>Please upload a Photo:</h4> 
<br>
<div class="form-group">
<label for="Photo">Photo</label>
<input type="file" class="form-control-file" id="Photo">

<div class="form-group">
<label for="Photo2">Photo 2</label>
<input type="file" class="form-control-file" id="Photo2">

---------------------------------------------

<h4>Please agree to the following:</h4>

<div class="custom-control custom-checkbox">
<input type="checkbox" class="custom-control-input"  name="Agree18" id="Agree18" value="Yes" required="" > 
<label class="custom-control-label" for="Agree18">I can prove I am 18 years or older. I am legal age to participate according to my country. Proof may be required by law.</label>

All information will be held strictly confidential in accordance with our disclosure policy which can be requested.

<div class="submit">
<button type="submit" name="submit" class="btn btn-primary">Send <i class="fa fa-lock"></i></button>




</form>  
</div>

I am hoping to have an updated example that works and that is up to 2019 standard with security in mind. I am hoping to have one example for one file upload and one example for multiple file upload from a web form. I would also like a detail explanation on each part and why it works that way if possible. I want to play around with attachments but never really understood what going on.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dougang5993
    dougang5993 2019-06-14 20:34
    已采纳

    This is a very vague question that will probably cause you to get close votes for being too broad, and you seem to have overlooked resources that are very easily found.

    There are two files provided with PHPMailer that provide examples of how to send one file, and how to send multiple files, and they are absolutely what you should base your code on.

    As far as "2019 standards" go, they are not really that different to standards from the last 10 years. It mostly comes down to the simple things:

    • sanitise your inputs (remove stuff you know is bad)
    • validate your inputs (check that what you're left with looks like you expect)
    • escape your output appropriately for its context (e.g. HTML escaping is not appropriate for writing data to a CSV file)

    So for example in your code, you do this:

    $email = ((isset($_POST['Email']))&&(!is_null($_POST['Email'])))? $_POST['Email']:'';
    

    This checks that the email field exists, that's all. For all you know it could be a base64-encoded PDF of War and Peace and it would still pass this check. You can actually do the same check in less code in recent PHP versions with the null coalesce operator:

    $email = $_POST['Email'] ?? '';
    

    However, this still doesn't do any filtering or validation. PHPMailer provides automatic email address validation on any method that accepts an address, so you could use that:

    if (!isset($_POST['email']) || !$mail->addReplyTo($_POST['Email'])) {
        die('Invalid email address');
    }
    

    Incidentally, this is the right way to use a submitter's addresses in contact forms; you're not putting it in a from address (because that would be forgery), but you will still be able to reply to the submitter when you receive the message.

    Another example is your Agree18 field; that's a checkbox, and so it should either not exist at all (if the checkbox was not checked), or exist and have a value of yes (though you can ignore the value - its presence is enough). So enforce that pattern - your existing code will accept absolutely anything in that field (remember that HTML is not any kind of protection against this). So you could say:

    $agree18 = isset($_POST['Agree18']) ? 'yes' : 'no';
    

    Now there is no way that anything bad can be introduced through that field; if it exists it's yes, otherwise it's no. Clean, simple, and safe.

    The main rule for escaping output is not to display anything that has been provided by the user. For example, this is wide-open to XSS attack:

    echo $_POST['Email'];
    

    This is much safer:

    echo htmlspecialchars($_POST['Email'], ENT_QUOTES);
    

    and would be even safer if you had already validated that it contained a valid email address.

    Anyway, you should have the idea by now.

    点赞 评论

相关推荐