PHP Beginner's Introduction to Email Injection
PHP Prevent E-mail Injection
The best way to prevent e-mail injection is to validate the input.
The following code is similar to the one in the previous chapter, but here we have added an input validation program to detect the email field in the form:
<html>
<head>
<meta charset="utf-8">
<title>php中文網(wǎng)(php.cn)</title>
</head>
<body>
<?php
function spamcheck($field)
{
// filter_var() 過濾 e-mail
// 使用 FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
//filter_var() 過濾 e-mail
// 使用 FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}
if (isset($_REQUEST['email']))
{
// 如果接收到郵箱參數(shù)則發(fā)送郵件
// 判斷郵箱是否合法
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "非法輸入";
}
else
{
// 發(fā)送郵件
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
}
else
{
// 如果沒有郵箱參數(shù)則顯示表單
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text'><br>
Subject: <input name='subject' type='text'><br>
Message:<br>
<textarea name='message' rows='15' cols='40'>
</textarea><br>
<input type='submit'>
</form>";
}
?>
</body>
</html>Note:
is above In the code, we use PHP filter to validate the input:
FILTER_SANITIZE_EMAIL filter removes illegal characters of email from the string
FILTER_VALIDATE_EMAIL filter validates the value of email address
You can read more about filters in our PHP Filter.
