传递表单变量的安全方式 [英] secure way of passing form variable
本文介绍了传递表单变量的安全方式的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我为我的wordpress主题构建联系表单。我希望能够从后端输入接收器地址。目前我正在通过隐藏的输入字段传递变量。
Im building a contact form for my wordpress theme. I want the ability to enter a receiver adress from the backend. At the moment I am passing the variable with a hidden input field.
<input type="text" class="hidden" name="receiver" value="<?php get_option('admin_email') ?>"/>
我读到我不会这样做,因为它不安全。但是,我该怎么做呢?
I read that I shouln't do this, because its insecure. But how would I do it then?
编辑:这是我的process.php。
Here is my process.php. I tried to get the admin email but that breaks it somehow.
<?php if( isset($_POST) ){
//form validation vars
$formok = true;
$errors = array();
//sumbission data
$ipaddress = $_SERVER['REMOTE_ADDR'];
$date = date('d.m.Y');
$time = date('H:i');
//form data
$name = $_POST['name'];
$email = $_POST['email'];
$website = $_POST['website'];
$budget = $_POST['budget'];
$message = $_POST['message'];
$receiver = $_POST['receiver'];
$sender = get_option('admin_email');
if(empty($name)){
$formok = false;
$errors[] = "Sie haben keinen Namen angegeben.";
}
if(empty($email)){
$formok = false;
$errors[] = "Sie haben keine Emailadresse angegeben.";
//validate email address
}elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){
$formok = false;
$errors[] = "Sie haben keine gültige Emailadresse angegeben.";
}
if(empty($message)){
$formok = false;
$errors[] = "Das Nachrichtenfeld ist leer.";
}
elseif(strlen($message) < 20){
$formok = false;
$errors[] = "Ihre Nachricht muss mindestens 20 Zeichen enthalten.";
}
if($formok){
$headers = "From: {$email}" . "\r\n";
$headers .= 'Content-type: text/html; charset=UTF-8' . "\r\n";
$emailbody = "<p><strong>Name: </strong> {$name} </p>
<p><strong>Website: </strong> {$website} </p>
<p><strong>Nachricht: </strong> {$message} </p>
<p>Diese Nachricht wurde am {$date} um {$time} über {$sender} gesendet.</p>";
if($receiver){
mail($receiver,"Anfrage ".$name,$emailbody,$headers);
}
else{
mail('test@test.com',"Error",$emailbody,$headers);
}
}
//what we need to return back to our form
$returndata = array(
'posted_form_data' => array(
'name' => $name,
'email' => $email,
'website' => $website,
'budget' => $budget,
'message' => $message
),
'form_ok' => $formok,
'errors' => $errors
);
//if this is not an ajax request
if(empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest'){
//set session variables
session_start();
$_SESSION['cf_returndata'] = $returndata;
//redirect back to form
header('location: ' . $_SERVER['HTTP_REFERER']);
}
}
推荐答案
既然你知道接收者地址 - 你不应该通过它。
提交表单时 - 您可以使用后端PHP脚本发送它,而不会将其暴露给用户!
Since you know the receiver address - you shouldn't pass it. When the form is submitted - you can use the backend PHP script to send it without exposing it to the user at all!
这篇关于传递表单变量的安全方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文