[英]Validating a form for email exploits is not working
I have a contact form in my website. 我的网站上有联系表。 I made a class to handle the whole process.
我上了一堂课来处理整个过程。 But there is something not working in it.
但是其中有些不起作用。
I have 2 functions to check for exploitation and they are not working. 我有2个功能可以检查漏洞利用情况,它们无法正常工作。 I don't know what's wrong with them, so here they are :
我不知道他们怎么了,所以这里是:
private function _validateExploit($val) {
$exploitPattrens = array('content-type', 'to:', 'bcc:', 'cc:', 'document.cookie', 'document.write', 'onclick', 'onload', '\n', '\r', '\t', '%0A', '%0D', '%08', '%09');
foreach ($exploitPattrens as $exploit) {
if (strpos($exploit, $val) !== false){
return true;
}
}
return false;
}
public function isExploit () {
if(call_user_func_array(array($this, '_validateExploit'), $_POST)) {
echo $errorMsg;
}
}
When I call isExploit()
it always return false, no matter what I give it as an input. 当我调用
isExploit()
时,无论我提供什么作为输入,它总是返回false。
I guess there is something wrong with the call_user_func_array
, but I can't find it. 我猜
call_user_func_array
出了点问题,但是我找不到。
Thanks in advance! 提前致谢!
strpos($exploit, $val)
should be strpos($val, $exploit)
strpos($exploit, $val)
应该是strpos($val, $exploit)
You also have echo $errorMsg;
您也有
echo $errorMsg;
but $errorMsg
is never defined. 但是从未定义
$errorMsg
。
And I think you probably want array_walk
( http://us3.php.net/manual/en/function.array-walk.php ) rather than call_user_func_array
. 而且我认为您可能希望使用
array_walk
( http://us3.php.net/manual/en/function.array-walk.php )而不是call_user_func_array
。 I would just loop through $_POST rather than use either of those functions though. 我只会遍历$ _POST而不是使用其中任何一个函数。 I don't think they really buy you anything in this case - and they might not return values the way you are expecting.
在这种情况下,我认为他们并没有真正给您买任何东西-并且他们可能不会以您期望的方式返回值。
You are passing the $_POST
variable to the function. 您正在将
$_POST
变量传递给该函数。 $_POST
is an array as the call_user_func_array()
function requires, but you are not treating it like an array in the _validateExploit
function. $_POST
是call_user_func_array()
函数所需的数组,但是您不会在_validateExploit
函数中将其_validateExploit
数组。 You are treating it like a string. 您将其视为字符串。 You need to loop through the $val array as well testing each item in that array or just pick one.
您需要遍历$ val数组以及测试该数组中的每一项,或者只选择其中一项。 You also have your haystack and needle reversed in
strpos()
as indicated in another answer. 如另一个答案所示,您还可以在
strpos()
中将干草堆和针头取反。
private function _validateExploit($val) {
$exploitPattrens = array('content-type', 'to:', 'bcc:', 'cc:', 'document.cookie', 'document.write', 'onclick', 'onload', '\n', '\r', '\t', '%0A', '%0D', '%08', '%09');
foreach ($exploitPattrens as $exploit) {
foreach ($val as $itm) {
if (strpos($itm, $exploit) !== false){
return true;
}
}
}
return false;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.