PHP Development Basics Tutorial - Secure E-mail
1. PHP E-mail injection
There is a security vulnerability in the PHP e-mail script
Look at the previous one PHP code in chapter:
<html>
<head>
<meta charset="utf-8">
<title>php中文网(php.cn)</title>
</head>
<body>
<?php
if (isset($_REQUEST['email'])) { // 如果接收到邮箱参数则发送邮件
// 发送邮件
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", $subject,
$message, "From:" . $email);
echo "邮件发送成功";
} else { // 如果没有邮箱参数则显示表单
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text'><br>
Subject: <input name='subject' type='text'><br>
Message:<br>
<textarea name='message' rows='15' cols='40'>
</textarea><br>
<input type='submit'>
</form>";
}
?>
</body>
</html>The problem with the above code is that unauthorized users can insert data in the email header through the input form.
What will happen if the user adds the following text to the email in the input box in the form?
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example. com,person5@example.com
%0ABTo:person6@example.com
As usual, the mail() function puts the above text into the email header, so now the header has Added additional Cc:, Bcc: and To: fields. When the user clicks the submit button, this e-mail will be sent to all the addresses above!
2. PHP E-mail Injection
The best way to prevent e-mail injection is to validate the input. (Similar to form validation)
The following code is similar to that in the previous chapter, but here we have added an input validation program to detect the email field in the form:
<html>
<head>
<meta charset="utf-8">
<title>php中文网(php.cn)</title>
</head>
<body>
<?php
function spamcheck($field)
{
// filter_var() 过滤 e-mail
// 使用 FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
//filter_var() 过滤 e-mail
// 使用 FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}
if (isset($_REQUEST['email']))
{
// 如果接收到邮箱参数则发送邮件
// 判断邮箱是否合法
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "非法输入";
}
else
{
// 发送邮件
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
}
else
{
// 如果没有邮箱参数则显示表单
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text'><br>
Subject: <input name='subject' type='text'><br>
Message:<br>
<textarea name='message' rows='15' cols='40'>
</textarea><br>
<input type='submit'>
</form>";
}
?>
</body>
</html>Summary: In the above code, we used a PHP filter to validate the input:
FILTER_SANITIZE_EMAIL filter removes the email from the string Illegal characters
FILTER_VALIDATE_EMAIL Filter validates the value of the email address
You can Read more about filters in our PHP Filter.
![Front-end project-Shangyou [HTML/CSS/JS technology comprehensive practice]](https://img.php.cn/upload/course/000/000/068/63bfcb2974f91471.jpg)
![Zero-based front-end course [Vue advanced learning and practical application]](https://img.php.cn/upload/course/000/000/068/63bbd15353895588.jpg)
![WEB front-end tutorial [HTML5+CSS3+JS]](https://img.php.cn/upload/course/000/000/068/63ba60c8da520536.jpg)
![Apipost practical application [api, interface, automated testing, mock]](https://img.php.cn/upload/course/000/000/068/63b3c967a20f4861.jpg)
