安全的php电子邮件脚本 [英] Secure php email script
问题描述
我想使用php脚本从网站上的html文件发送电子邮件。
这个php脚本是否足够安全,可以防止黑客和垃圾邮件?
I want to use a php script to send emails from a html file on a website. Would this php script be secure enough against hacking and spam?
<?php
$to = "emailto@site.com";
$subject = "Sent from site";
$email = $_POST['emailFrom'];
$message = $_POST['message'];
$email = filter_var($email , FILTER_SANITIZE_EMAIL);
$message = filter_var($message , FILTER_SANITIZE_EMAIL);
$message = $email . $message;
mail($to, $subject, $message, "From: webpage@site.com");
?>
推荐答案
FILTER_SANITIZE_EMAIL从字符串中删除非法电子邮件地址字符;因此,这不是电子邮件内容的最佳选择(对于电子邮件地址来说是有用的)。虽然删除HTML特殊字符在防止XSS攻击时很有用,但值得注意的是,和>在消息中(即现在)。因此最好把这些字符转换成它们的html实体。
I.e。
<将成为& lt;
和>将成为& gt;
FILTER_SANITIZE_EMAIL removes illegal email address characters from a string; this is, therefore not the best option for the contents of an email (however useful it may be for email addresses). Whilst removing HTML special characters is useful when preventing XSS attacks, it is worth noting that there are legitimate reasons to post < and > in messages (i.e. right now). Therefore it is better to convert these characters to their html entities.
I.e.
< would become <
and > would become >
所以为了将html字符更改为他们实体替换:
$ message = filter_var($ message,FILTER_SANITIZE_EMAIL); with
$ message = htmlspecialchars($ message);
除了它看起来不错;但请记住,如果涉及数据库,还应添加数据库清理。
So in order to change html characters to their entities replace:
$message = filter_var($message , FILTER_SANITIZE_EMAIL); with
$message = htmlspecialchars($message);
Other than that it looks good; but remember, in cases where a database is involved database sanitisation should also be added.
这篇关于安全的php电子邮件脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
