dongruolin5324 2015-10-27 09:46
浏览 64
已采纳

如何保护发送电子邮件的简单PHP脚本?

In a simple contact form, the HTML form triggers a Php script :

<form method="post" action="email.php">.....</form>

This email.php sends me an email :

<?php
    $mess=$_POST['name']. "
" .$_POST['site']. "
" .$_POST['email']. "
" .$_POST['meta']. "
" .$_POST['message'];
    mail('myemail@gmail.com', 'Subject', $mess);
?>

The HTML is using jQuery validate plugin, but nothing like this on the Php side.

A Security expert told me how insanely unsecure this php script was.

What can I do to enhance security ?

  • 写回答

3条回答 默认 最新

  • dqunzip3183 2015-10-27 14:47
    关注

    My guess is that your "security expert" saw you using raw $_POST data and using the mail() function, and he freaked out, but didn't stop to actually check how bad things were.

    He has a point in that using $_POST without doing any validation on it is almost always a recipe for being hacked, but in fact in this particular case I don't think it's too bad, because you are the only recipient (so it's not going to be used for spam, which is the main thing to worry about in these cases), and because the body is plain text (so a hacker can't send you any nasty scripts or attachments).

    Without any validation, you could get some really weird emails as a result of hackers trying to find a way around your defences, but not too much else.

    PHP's mail() function is a well-known soft target for hackers because there is an awful lot of insecure code out there that uses it. However the real danger with mail() tends to be if you use the headers parameter (ie to set things like the sender address, etc), which you haven't used. Since you're not using headers, the risks are a lot lower, and mainly limited to making it easy for someone to mailbomb you.

    If you are still worried about the security of the mail() function, the best solution is to use a library like phpMailer instead.

    To be honest, my advice whenever anyone wants to use PHP's mail() function is always to use phpMailer or Swiftmailer instead. And it's not even just about security; even for simple cases, they can make your code a lot easier to read and maintain.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题