堆栈内存溢出
  简体   繁体   English

在发送每封电子邮件之前过滤用户输入

[英]Filtering of user input before sending per email

 原文  2012-02-10 11:04:06       php/ security/ email/ sanitization

问题描述

I'm creating a simple feedback form in PHP: The user can just enter some comments/suggestions etc. about my site and click "Send feedback". 我正在用PHP创建一个简单的反馈表单:用户只需输入有关我的站点的一些评论/建议等,然后单击“发送反馈”。 Then the text he entered is send as the body of an email directly to me (ie I set the recipient address by myself, user's input is only used within the body of th mail). 然后,他输入的文本将作为电子邮件正文直接发送给我(即,我自己设置收件人地址,用户的输入仅在邮件正文中使用)。

Now I'm not sure, what sort of attacks would be possible if I simply take the unfiltered text and insert it into the email body. 现在,我不确定,如果我只接受未过滤的文本并将其插入电子邮件正文,将可能发生哪种攻击。

I'm currently working with the Joomla platform (ie I'm using Joomla's JMail functionality), but I think the question is more general: There's a lot of information about SQL injection and Cross-Site-Scripting (which are equivalent attack vectors), but I didn't find much about emails. 我目前正在使用Joomla平台(即,我正在使用Joomla的JMail功能),但我认为问题更笼统:关于SQL注入和跨站点脚本(等效的攻击媒介)有很多信息。 ,但我对电子邮件了解不多。

Note that in my case, the text is only sent per email, so I do not care about SQL-Injection or Cross-Site-Scripting (the email is sent as plain text). 请注意,在我的情况下, 通过电子邮件发送文本,因此我不在乎SQL注入或跨站点脚本(电子邮件以纯文本形式发送)。 So what kind of filtering should I apply? 那么我应该采用哪种过滤?

Thanks Martin 谢谢马丁

2 个解决方案

解决方案1
 0  2012-02-10 11:07:44

Since you are expecting only comments and suggestions, you can simply remove any characters other thant alphabets, numbers, and ".", ",". 由于只需要评论和建议,因此您可以简单地删除除字母,数字和“。”,“。”以外的任何字符。 Even if it removes other characters it wouldn't matter to you, you would get to know what they mean. 即使删除了其他字符,这对您也没有关系,您也将了解它们的含义。 The "=" is the biggest enemy. “ =“是最大的敌人。 But the set I described should keep you safe. 但是我所描述的场景应该可以确保您的安全。

解决方案2
 0  2012-02-10 11:14:11

Most important will be SPAM protection. 最重要的是垃圾邮件防护。

If you send email in HTML you should filter tags (strip_tags or htmlspecialchars) or validate user's HTML (HTMLPurifier http://htmlpurifier.org/ ) 如果您使用HTML发送电子邮件,则应过滤标签(strip_tags或htmlspecialchars)或验证用户的HTML(HTMLPurifier http://htmlpurifier.org/

Limiting the length of the message also can be useful. 限制消息的长度也很有用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 通过邮件发送之前清理用户输入 - Cleaning user input before sending it in mail PHP代码,用于从发送电子邮件的网站发送电子邮件,但并非所有用户输入均按预期方式 - PHP code for sending email from website sending email but not all of user's input as intended 将用户输入过滤为CSS - Filtering user input as CSS PHP中的用户输入过滤 - User Input filtering in PHP 过滤用户输入 - Filtering User Input 发送前格式化文本区域(电子邮件) - Formatting a textarea(email) before sending it 在通过电子邮件发送之前,我是否需要清理用户输入的数据 - Do I need to sanitize user-inputted data, before sending it in an email 发送PHP邮件时,如何在用户的电子邮件地址前显示其名称? - How do I display the user's name before the their email address when sending PHP mail? 根据状态向用户发送电子邮件 - sending an email to the user depending on statusmy 使用过滤日期过滤用户输入 - Filter user input with filtering date
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM