这是垃圾输入，从机器人填写我的网站上的表格，安全吗？ [英] Is this junk input, from a bot filling up a form on my website, safe?

问题描述

所以我使用PHP并在我的网站上有一个联系表单。
一旦用户填写表单并提交，它将向我发送一封电子邮件。
我一直在收到bot的垃圾输入，我假设，像下面。
这是 print_r（$ _ REQUEST）的结果。我简单地删除了一些参数。

So I use PHP and have a contact form on my website. Once users fill up the form and submit, it will shoot an email to me. I have been receiving junk input from bot, I assume, like below. This is the result of print_r($_REQUEST). I removed some parameter for simplicity.

Array
(
   [name] => rycpufrwq
   [email] => raaszg@fqhzdm.com
   [company] => naCuklaLMab
   [website] => http://ujpbfhazkpzv.com/
   [message] => cBimwx  <a href=\"http://pxlahgqmdrhs.com/\">pxlahgqmdrhs</a>, [url=http://sjmbrhkycvbz.com/]sjmbrhkycvbz[/url], [link=http://rddqwgzwvrhv.com/]rddqwgzwvrhv[/link], http://csohvhsvdisc.com/
)

在这样的请求下，我不写数据库或任何东西。我只通过调用 mail（）发送电子邮件。
具体来说， mail（$ to，$ subject，$ body，$ headers）其中$ headers是：

On such request, I don't write to db or anything. I only send an email by calling mail(). Specifically, mail($to,$subject,$body,$headers) where $headers is:

$headers="From:$email_from\r\nBcc:$email_bcc\r\nReply-To:$name<$email>\r\n";

$ name是$ _REQUEST ['name']，$ email是$ _REQUEST ['email'] ，但是如果有的话，我会删除所有的\和\，因为他们可以把\r\\\
Cc：<电子邮件列表>他们将能够使用我的域发送垃圾邮件。

$name is $_REQUEST['name'] and $email is $_REQUEST['email'], but I strip out all "\r" and "\n" if any because they can put "\r\nCc:<a list of emails>" and they would be able to send spam emails using my domain.

但是，对于上面提到的输入，我没有看到电子邮件下的换行符 '领域。因此，我认为这是一种不同的攻击。
有什么我应该知道的吗？

However, for an input I mentioned above, I don't see 'newline' under 'email' field. Hence, I assume it is a different kind of attack. Is there something I should be aware of?

推荐答案

因此，我认为是一种不同的攻击。<​​/ p>

Hence, I assume it is a different kind of attack.

我怀疑。这看起来不像电子邮件注入攻击，但是一个简单的径流机器人尝试尽可能多的地方（例如注释线程）将其内容链接起来。这就是为什么 [link] 符号在那里，导致URL在BBCode中链接。

I doubt it. This doesn't look like an E-Mail injection attack, but a simple run-off-the-mill bot trying to get its content linked in as many places (e.g. comment threads) as possible. That's why the [link] notation is there, to cause the URL to be linked in BBCode.

除了这是垃圾，我可以看不到任何恶意的消息。

Except from that it's trash, I can see nothing malicious in the message.

为了阻止这一点，像其他人说的，验证码解决方案是最受欢迎的方式;还有其他的参见有关SO的相关问题，例如阻止垃圾邮件而不使用验证码

To stop this, as others say, captcha solutions are the most popular way; there are others. See the related questions on SO, e.g. Blocking comment spam without using captcha

这篇关于这是垃圾输入，从机器人填写我的网站上的表格，安全吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！