[英]PHP 5 HTML 5 contact form
I am very new to website design/programming and learned allot of html, css and a bit of php over the past few weeks. 我是网站设计/编程的新手,在过去的几周中学习了html,css和php的分配。 This is my first post here, Wish me luck :)
这是我在这里的第一篇文章,祝我好运:)
I am attempting to create a mail form from what I have learned from various websites, the form works but I have an issue with sanitizing the input, I'm not sure if I am doing it correctly as I can still "inject" code into the fields. 我正在尝试从我从各个网站上学到的内容创建一个邮件表单,该表单可以运行,但是在清理输入内容方面存在问题,我不确定自己是否正确执行,因为我仍然可以将代码“注入”田野。
<?php session_start(); ?>
<!DOCTYPE html>
<html>
<body>
<?php
$ip = $_SERVER['REMOTE_ADDR'];
$browser = $_SERVER['HTTP_USER_AGENT'];
if (isset($_POST['submit'])) {
$error = '';
// Name
$name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
// Telephone Number
$phone= filter_var($_POST['phone'], FILTER_SANITIZE_NUMBER_INT);
// Email Address
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
$error = 'You have not entered a valid email address.<br/>';
}
// Message
$message = filter_var($_POST['message'], FILTER_SANITIZE_STRING);
if (empty($error)) {
$from = 'From: ' . $name . ' <' . $email . '>';
$to = 'YourEmailHere';
$subject = 'Message from Contact Form';
$content = $name . ' has sent you a message: \n' . $message . '\n\nPhone Number: ' . $phone . '\n\nIP: ' . $ip . '\nBrowser:' . $browser;
$success = '<h3>Thank you!<br /> Your message has been sent!</h3>';
//mail($to,$subject,$content,$from);
}
}
?>
<h1>Contact Form</h1>
<br/>
<?php
if (!empty($error)) {
echo '<p class="error"><strong>Your message was NOT sent<br/> The following error(s) returned:</strong><br/><br/>' . $error . '<br/><strong>Please try again.</strong><br/></p>';
} elseif (!empty($success)) {
echo $success;
}
?>
<form action="" method="post">
Name:
<input type="text" name="name" required placeholder="Name" value="<?php { echo $_POST['name']; } ?>"><br/>
Telephone:
<input type="text" name="phone" required placeholder="Telephone Number e.g.0123456789" value="<?php { echo $_POST['phone']; } ?>"><br/>
Email:
<input type="text" name="email" required placeholder="Email Address" value="<?php { echo $_POST['email']; } ?>"><br/>
Message:<br />
<textarea name="message" required placeholder="Message" rows="20" cols="20"><?php { echo $_POST['message']; } ?></textarea><br/>
<input type="submit" class="submit" name="submit" value="Send message">
<br/>
</form>
<!-- Below is Just for testing -->
<?php echo '<br/>Name : ' . $name . '<br/><br/>Phone : ' . $phone . '<br/><br/>Email : ' . $email . '<br/><br/>Message : ' . $message . '<br/>'; ?>
<br/>
</body>
</html>
I'll add layout/css later once I get the code working the way I would like. 一旦使代码按我希望的方式工作,我将在以后添加layout / css。 any assistance will be most appreciated.
任何帮助将不胜感激。
The "injection" code I am testing with is simply 我正在测试的“注入”代码很简单
"><script>alert('Broke');</script>
the sanitize works fine if I leave out the leading ">, even just using the "> alone messes up and page a little, I would like to know if there is a way to filter these just using options available in php. 如果我不使用领先的“>,则进行清理工作效果很好,即使仅使用”>弄乱了并翻页了一下,我也想知道是否有一种方法可以仅使用php中提供的选项对其进行过滤。 Once I get input into this simple form working correctly I plan to use database functionality on the rest of the site so it is important to me that I get a good understanding of filtering for obvious reasons.
一旦我输入了可以正常工作的简单表单的输入,我计划在网站的其余部分上使用数据库功能,因此对我来说很重要的一点是,由于明显的原因,我对过滤进行了很好的理解。
Thanks in Advance. 提前致谢。
Aaron 亚伦
Another Question, as you can see from the code I display an error if the email address is not valid according to the FILTER_VALIDATE_EMAIL, how would I go about doing this on the other fields (Name[text only], Telephone Number[10 digit telephone number] and Message[text with punctuation]) ? 从代码中可以看到另一个问题,根据FILTER_VALIDATE_EMAIL,如果电子邮件地址无效,我将显示一个错误,我将如何在其他字段(名称[纯文字],电话号码[10位数电话] number]和Message [带标点的文本])?
I am also looking to add captcha script, a simple "random number [random calculation type +-X/] random number = answer" with the random numbers and calculation type displayed as an image, not sure where to start with this or if it would be too complicated for visitors. 我还想添加验证码脚本,一个简单的“随机数[随机计算类型+ -X /]随机数=答案”,并将随机数和计算类型显示为图像,不确定从何处开始或是否从此开始对于访客来说太复杂了。
You are echoing the $_POST
variables without sanitising them. 您正在回显
$_POST
变量而不对其进行消毒。
Wrap them in htmlspecialchars()
like this: 将它们包装在
htmlspecialchars()
如下所示:
echo htmlspecialchars($_POST['message']);
You are doing some basic sanitising and validation but then proceeding to echo the raw (un-sanitised data) back to the client within the form. 您正在执行一些基本的清理和验证,然后继续将原始(未清理的数据)回显到表单内的客户端。
<?php { echo $_POST['email']; } ?>
Change your value outputs to check for the sanitised values and output them appropriately. 更改值输出以检查经过清理的值并适当地输出它们。
<?php echo (isset($email) ? $email : ''); ?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.