PHPMailer安全吗? [英] Is PHPMailer Secure
问题描述
我知道这可能不是一个简单的问题,但是我正在开发一些Web表单,并希望有一个PHP库可以用来发送邮件并自动清理数据.我当时在看PHPMailer,它看起来很简单.
I know this probably isn't an easy question but I'm developing several webforms and want a PHP library that I can use to send the mail and have it automatically sanitize the data. I was looking at PHPMailer which looked pretty simple to setup.
PHPMailer是一个安全库,可用于防止我的表单受到SQL注入/电子邮件注入/XSS等的约束吗?我认识到没有什么是100%安全的,但是我正在寻找一种易于使用的脚本,而无需清理数据.
Is PHPMailer a secure library to use to prevent my forms from being subject to SQL Injection/E-mail Injection / XSS, etc? I recognize nothing is 100% secure but I'm looking for an easy script to use without me having to sanitize the data.
推荐答案
PHPMailer本身不创建/使用任何SQL,也不与javascript有任何关系,因此在这些方面都是安全的.它通常与同时实现这两个功能的代码一起使用,但这并不是PHPMailer关心的.
PHPMailer doesn't create/use any SQL itself, nor does it have anything to do with javascript, so it's secure on those fronts. It is often used alongside code that does both, but that's not PHPMailer's concern.
它将过滤器应用于标头,以避免标头注入攻击,并且(据我所知!)正确构建标头,以便根据RFC进行转义和编码-通常,PHPMailer主张在可行的情况下严格遵循技术要求.关于线长合规性有一个未解决的问题.
It applies filtering to headers in order to avoid header injection attacks, and (as far as I'm aware!) builds headers correctly in order to escape and encode according to RFCs - generally PHPMailer favours strict technical compliance where practical. There is one open issue relating to line length compliance.
如果使用默认设置在PHP 5.6上运行,它将在安全连接上验证SSL/TLS证书.早期的PHP版本默认不执行此操作,尽管不建议这样做,但您可以在PHP 5.6中将其禁用.有一个未解决的问题,与在较早的PHP版本中强制执行此设置有关.
If run with PHP 5.6 using default settings, it verifies SSL/TLS certificates on secure connections. Earlier PHP versions don't do this by default, and you can disable it in PHP 5.6, though neither is recommended. There is an open issue relating to forcing this setting in earlier PHP versions.
所有这些,当然可以滥用PHPMailer(像任何技术库一样)来发送各种讨厌的网络钓鱼,垃圾邮件和恶意软件,并且可以使用SMTP类试图使邮件服务器陷入混乱.它会尽最大努力确保在遵守RFC的前提下做到这一点.
All that said, of course PHPMailer (like any technical library) can be abused to send all kinds of nasty phishing, spam and malware, and the SMTP class can be used to try to confuse the hell out of mail servers, though it will try its hardest to ensure it does so with the utmost respect for the RFCs.
这篇关于PHPMailer安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
