这个php邮件脚本不受标头注入的影响吗

这个php邮件脚本不受标头注入的影响吗

本文介绍了用stristr()替换已弃用的eregi().这个php邮件脚本不受标头注入的影响吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

多年来,我一直在使用相同的php脚本从联系表单发送电子邮件.但是,当我的Web服务器升级到php 5.3时,对eregi的调用导致显示不赞成使用的错误.

I've been using the same php script to send emails from contact forms for years. But when my web server upgraded to php 5.3 the call to eregi was causing deprecated errors to display.

在Google搜索之后,我了解到可以使用stristr代替eregi.

After a Google search I learned that I could use stristr instead of eregi.

当我进行此简单的切换时,一切正常,但是我不是php向导,所以我想知道我的脚本是否仍然不受标头注入的侵害.

When I make this simple switch everything works just fine, but I'm no php wizard so I want to know if my script is still secure from header injections.

有人可以放心吗,并确认此脚本安全(或至少足够安全)可用于从联系表单发送电子邮件吗?

Can someone please put my mind at ease and confirm that this script is safe (or at least safe enough) to use for sending emails from a contact form?

以下是使用stristr的当前脚本的示例:

Here is an example of the current script with stristr in use:

    <?

$to="[email protected]";

// the $Name is the PHP variable, the _Post['Name'] should match the name of the input boxes in the form

$Name=$_POST['Name'];

$Email=$_POST['Email'];

$Phone=$_POST['Phone'];

$Message=$_POST['Message'];

// you can format the email anyway you want.

$message="Form submitted by $Name

Applicant Information:\n

Name: $Name

Email: $Email

Phone: $Phone

Message: $Message";

// Check for script HiJack

$arBadStr = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:");

foreach($_POST as $tName => $tVal){

foreach($arBadStr as $tStr){

if(stristr($tStr, $tVal)){

$fSub = "Failed: Header Injection.";

reportError($fSub);

}}}





if(mail($to,"mywebsite.com contact Form Submission",$message,"From: $Name <$Email>")) {

echo "Thank you $Name for your interest. We will contact you shortly";

} else {

echo "There was a problem sending the mail. Please check that you filled in the form correctly.";

}



// Report error function called when test detects hijacking. Mails report to webmaster and kills process.

function reportError($fSub) {

while(list($name, $value) = each($_POST)) {

$eBody .= "$name : $value \n\r"; }

mail( "[email protected]", $fSub, $eBody, "From: Webmaster <[email protected]>");

exit(header("Location: http://www.mywebsite.com")); }

?>

更新

基于来自cryptic的如此慷慨的帮助,这就是我的新脚本的样子.如您所见,我已经删除了一些标头验证功能,而不是简单地清理输入字段.

UPDATE

Based on the ever-so-gracious help from cryptic this is what my new script looks like. As you can see I've stripped out some of the header validation functions in place of simply sanitizing the input fields.

    <?
$to="[email protected]";

// the $Name is the PHP variable, the _Post['Name'] should match the name of the input boxes in the form

$Name = str_replace(array("\n", "\r"), '', $_POST['Name']);
$Email = str_replace(array("\n", "\r"), '', $_POST['Email']);
$Phone = str_replace(array("\n", "\r"), '', $_POST['Phone']);
$Message = str_replace(array("\n", "\r"), '', $_POST['Message']);


function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }

$Name = clean_string($Name);
$Email = clean_string($Email);
$Phone = clean_string($Phone);
$Message = clean_string($Message);


// you can format the email anyway you want.

$message="Form submitted by $Name

Applicant Information:\n

Name: $Name

Email: $Email

Phone: $Phone

Message: $Message";


if(mail($to,"mywebsite.com contact Form Submission",$message,"From: $Name <$Email>")) {

echo "Thank you $Name for your interest. We will contact you shortly";

} else {

echo "There was a problem sending the mail. Please check that you filled in the form correctly.";

}
?>

推荐答案

您尝试将BCC,CC之类的标头列入黑名单,但无法阻止TO,FROM.

You try to blacklist headers like BCC, CC but fail to block TO, FROM.

此规范允许大多数字段多次出现.除了 如前所述,此处未指定其解释及其用法 灰心丧气.

This specification permits multiple occurrences of most fields. Except as noted, their interpretation is not specified here, and their use is discouraged.

因此,攻击者将能够操纵消息以添加其他收件人和发件人.您实际上应该只是检查换行符和回车符,或者只是通过去除\ r和\ n字符来清除所有$ _POST值.

So an attacker would be able to manipulate the message to add additional recipients and senders. You should really just be checking for newlines and carriage returns or just sanitize all the $_POST values by stripping out \r and \n characters.

<?php

function clean_string($string)
{
    return str_replace(array("\n", "\r"), '', $string);
}

$to = '[email protected]';

// the $Name is the PHP variable, the _Post['Name'] should match the name of the input boxes in the form
$Name    = clean_string($Name);
$Email   = clean_string($Email);
$Phone   = clean_string($Phone);
$Message = clean_string($Message);

// you can format the email anyway you want.
$message = "Form submitted by $Name

Applicant Information:\n

Name: $Name

Email: $Email

Phone: $Phone

Message: $Message";

if (mail($to, 'mywebsite.com contact Form Submission', $message, "From: $Name <$Email>"))
{
    echo 'Thank you ' . htmlspecialchars($Name) . ' for your interest. We will contact you shortly';
}
else
{
    echo "There was a problem sending the mail. Please check that you filled in the form correctly.";
}

?>

这篇关于用stristr()替换已弃用的eregi().这个php邮件脚本不受标头注入的影响吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-21 07:10