[英]Contact Form input filtering
通過查看聯系表,我發現了跨站點腳本漏洞,但是對如何解決此問題的知識不足。
受影響的參數:使用的名稱向量:“>警報(document.cookie)找到的模式:\\”>警報(document.cookie)完全攻擊:/ http:// ############### ### / contact.php [name = \\“> alert(document.cookie)&email =&message =]
受影響的參數:使用的電子郵件矢量:“>警報(document.cookie)找到的模式:\\”>警報(document.cookie)完全攻擊:/ http:// ############### ### / contact.php [name =&email = \\“> alert(document.cookie)&message =]
受影響的參數:使用的消息向量:“>警報(document.cookie)找到的模式:\\”>警報(document.cookie)完全攻擊:/ http:// ############### ### / contact.php [name =&email =&message = \\“> alert(document.cookie)]
我當前的表單代碼如下所示
<?php
if (isset($_POST['submit'])) {
$error = "";
if (!empty($_POST['name'])) {
$name = $_POST['name'];
if (!preg_match('/^[a-zA-Z0-9]+$/i', $name)){
$error .= "The name you entered is not valid. <br/>";
}
} else {
$error .= "You didn't type in your name. <br />";
}
if (!empty($_POST['email'])) {
$email = $_POST['email'];
if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){
$error .= "The e-mail address you entered is not valid. <br/>";
}
} else {
$error .= "You didn't type in an e-mail address. <br />";
}
if (!empty($_POST['messagesubject'])) {
$messagesubject = $_POST['messagesubject'];
} else {
$error .= "You didn't type in a subject. <br />";
}
if (!empty($_POST['message'])) {
$message = $_POST['message'];
} else {
$error .= "You didn't type in a message. <br />";
}
if(($_POST['code']) == $_SESSION['code']) {
$code = $_POST['code'];
} else {
$error .= "The captcha code you entered does not match. Please try again. <br />";
}
if (empty($error)) {
$from = 'From: ' . $name . ' <' . $email . '>';
$to = "aaron@fosternetwork.co.uk";
$subject = strip_tags("CWS - Contact Us - \n" . $messagesubject);
$content = strip_tags("Name: " . $name . "\nSubject: " . $messagesubject . "\nMessage: \n" . $message);
$success = "<h2>Thank you! <span>Your message has been sent!</span></h2>";
mail($to,$subject,$content,$from);
$emailSent = true;
}
}
?>
形成
<form action="contact.php" method="post">
<label>Name:</label>
<input type="text" name="name" value="<?php if ($_POST['name']) { echo $_POST['name']; } ?>" />
<label>Email:</label>
<input type="text" name="email" value="<?php if ($_POST['email']) { echo $_POST['email']; } ?>" />
<label>Subject:</label>
<input type="text" name="messagesubject" value="<?php if ($_POST['messagesubject']) { echo $_POST['messagesubject']; } ?>" />
<label>Message:</label><br />
<textarea name="message" rows="20" cols="20"><?php if ($_POST['message']) { echo $_POST['message']; } ?></textarea>
<label>Please input the following code: <img src="captcha.php"></label>
<input type="text" name="code"> <br />
<button type="submit" class="colorButton" name="submit" value="Send message">Send Message</button>
</form>
任何幫助都非常感謝。
您的HTML代有一個缺陷:
value="<?php if ($_POST['name']) { echo $_POST['name']; } ?>"
您應該始終轉義輸出變量,即:
value="<?php if ($_POST['name']) { echo htmlspecialchars($_POST['name']); } ?>"
永遠不要相信用戶輸入,有些人可以插入可能會危害系統或類似行為的javascript代碼,這就是為什么您容易受到跨站點腳本攻擊的影響,請清除通過此功能發布的輸入:
function xss_protect($data, $strip_tags = false, $allowed_tags = "\"\'") {
if($strip_tags) {
$data = strip_tags($data, $allowed_tags . "<b>");
}
if(stripos($data, "script") !== false) {
$result = str_replace("script","scr<b></b>ipt", htmlentities($data, ENT_QUOTES,"UTF-8"));
} else {
$result = htmlentities($data, ENT_QUOTES, "UTF-8");
}
return $result;
}
要使用該功能,例如使用:
$code = xss_protect($_POST['code']);
您應該使用一些良好的編程習慣,例如:
初始化變量,這樣,您總是可以打印一些東西,調試您將獲得許多簡單但令人討厭的錯誤
$name = false;
$email = false;
$message = false;
$messagesubject = false;
如果要獲取新值,請修改數據,例如根據情況從$ _POST獲取數據。 如果以這種方式進行操作,那么在沒有特定字段的數據的情況下,腳本將避免執行某些工作,並且您可以更輕松地控制腳本的流向和數據驗證。
if ( isset( $_POST['name'] ) !== false ) {
// validate the content
$name = process_you_choose_to_clean( $_POST['name'] );
}
if ( isset( $_POST['email'] ) !== false ) {
// validate the content
$name = process_you_choose_to_clean( $_POST['email'] );
}
if ( isset( $_POST['message'] ) !== false ) {
// validate the content
$name = process_you_choose_to_clean( $_POST['message'] );
}
if ( isset( $_POST['messagesubject'] ) !== false ) {
// validate the content
$name = process_you_choose_to_clean( $_POST['messagesubject'] );
}
盡量避免在html部分中弄亂代碼,如果您照顧好我之前提到的內容,類似的東西就可以很好地工作
<input type="text" name="name" value="<?php { echo( $name ); } ?>" />
關於清理,請考慮提到的選項,並使用PHP的filter_var選項
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.