每天早上 10:53 整,我都会收到 1-2 封空白电子邮件,由某种实体使用我的 send.php 文件。
我知道这是我的网站上的PHP发送文件的结果,但我对PHP了解不多。几周前,我花了很多时间寻找清晰的信息,告诉我如何使用 php 设置我的输入表单,让它最初发送并走到这一步。但我知道我的代码中有一些非常明显的安全漏洞。
我想知道我在表单上做错了什么以锁定它,这样我就不会再受到垃圾邮件的打击。
我有一个 JavaScript 蜜罐,它只是一个输入字段,如果选择隐藏字段,它将值从 true 更改为 false,表单将不再提交表单,而是向用户发出警报,说明他们已成功提交表单,并且页面只是重新加载(可能不是那么好的解决方案)。
我继续用 some@email.com 替换了我的电子邮件
<?php
$sname = $_POST['name'];
$slastname = $_POST['last-name'];
$semail = $_POST['email'];
$semailconfirm = $_POST['confirm-email'];
$sphone = $_POST['phone-number'];
$smessage = filter_var($_POST['message'], FILTER_SANITIZE_STRING );
$formerrors = false;
if ($sname === '') :
echo "<div>Sorry, first name is a required field</div>";
endif; //input field empty
if (!(preg_match('/[a-zA-Z]+/', $sname)) ) :
echo "<div>Sorry, first name doesnt follow the allowed pattern</div>";
endif; //pattern doesnt match
if ($slastname === '') :
echo "<div>Sorry, last name is a required field</div>";
endif; //input field empty
if (!(preg_match('/[a-zA-Z]+/', $slastname)) ) :
echo "<div>Sorry, last name doesnt follow the allowed pattern</div>";
endif; //pattern doesnt match
if ($semail === '') :
echo "<div>Sorry, email is a required field</div>";
endif; //input field empty
if ($semailconfirm !== $semail) :
echo "<div>Sorry, emails must match</div>";
endif; //input field empty
if ($smessage === '') :
echo "<div>Sorry, your message has no content</div>";
endif; //input field empty
if (!($formerrors)) :
$to = "some@email.com";
$subject = "From $sname $slastname -- $semail -- $sphone";
$message = "$sname filled out the form";
$replyto = "From: $semail 'r'n".
"Reply-To: some@email.com 'r'n";
if (mail($to, $subject, $smessage)):
$msg = "Thanks for filling out my contact form";
else:
$msg = "problem sending message";
endif; //mail form data
endif; //check for errors
?>
我每天收到的电子邮件说
从----
并且文本正文中没有任何内容
你从来没有这样设置$formerrors
if ($sname === '') :
echo "<div>Sorry, first name is a required field</div>";
endif; //input field empty
您的其他检查仅输出错误,但仍会处理表单。
尝试:
if ($sname === '') :
echo "<div>Sorry, first name is a required field</div>";
$formerrors = true;
endif; //input field empty
Recaptcha是唯一具有成本效益的方法,所以我不会放弃它。这很简单:
-
由于您使用的是php,因此这是您需要的形式(添加"php"部分):
<form method="post" action="verify.php"> <?php require_once('recaptchalib.php'); $publickey = "your_public_key"; // you got this from the signup page echo recaptcha_get_html($publickey); ?> <input type="submit" /> </form>
-
然后,您在验证.php(或您提交表单数据的任何位置)进行 recpatcha 验证:
<?php require_once('recaptchalib.php'); $privatekey = "your_private_key"; $resp = recaptcha_check_answer ($privatekey, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], _POST["recaptcha_response_field"]); if (!$resp->is_valid) { // What happens when the CAPTCHA was entered incorrectly die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." . "(reCAPTCHA said: " . $resp->error . ")"); } else { // Your code here to handle a successful verification } ?>
-
就是这样。
出现错误时,您似乎忘记将$formerrors
标志设置为true
。 尝试类似操作:
if (trim($sname) == '')
{
$formerrors = true;
echo "<div>Sorry, first name is a required field</div>";
}