PHP的mail():需要注意哪些潜在问题? [英] PHP's mail(): What are potential issues to watch out for?

问题描述

给出一个接受自定义用户输入(例如地址，主题行，消息)的联系表，有哪些安全隐患和陷阱"要注意?

Given a contact form that accepts custom user input (e.g. address, subject line, message), what are some security implications and "gotchas" to be careful of?

至少必须验证用户的电子邮件地址(可能使用filter_var()或等效方法).根据我的阅读，这还应该防止将其他标头注入到脚本中.

At a minimum, the user's email address will have to be validated (likely using filter_var() or equivalent). From what I've read, this should also prevent additional headers from being injected into the script.

主题行和消息内容如何?这些领域需要卫生吗?我认为电子邮件客户端会阻止脚本自动运行，并且我并不特别担心HTML标记(如果有人想花时间手工设置电子邮件样式，那是他们的特权-我只是不会看到它:P).如果需要卫生 ，那么在不引起干扰的情况下(即保持电子邮件的性质不变)的最佳方法是什么?

What about the subject line and message content though? Is any sanitation required for those fields? I figure an email client would prevent things like scripts from running automatically, and I'm not particularly worried about things like HTML tags (if someone wants to spend the time to style an email by hand, that's their prerogative - I just won't be seeing it :P). If sanitation is required, what's the best way of doing it without being too intrusive (i.e. keeping the nature of the email the same)?

推荐答案

如果您使用的是第四个参数(可选标头)，请注意是否要插入额外的标头，如果您正在执行类似的操作……

If you are using the fourth argument, the optional headers, watch for inserting of extra headers, if you are doing something like this...

mail($to, $subject, $message, 'From: $email');

如果$email来自用户输入并且未经过清理，则用户可以输入类似...

If $email comes from user input and is not sanitized, a user could enter something like...

\n\rCC:spammer@spamzilla.com

您可以通过滤除\n和\r或使用filter_var($email, FILTER_VALIDATE_EMAIL)函数验证$email来避免这种情况.

You can avoid this by filtering out \n and \r, or validating $email using the filter_var($email, FILTER_VALIDATE_EMAIL) function.

这篇关于PHP的mail():需要注意哪些潜在问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！