隐藏字段不用PHP处理

Question

我为CMS创建了一个tellafriend表单.我需要表单中的一些隐藏字段,以便我可以传递主页地址,链接到徽标和Web管理员电子邮件地址.但是,隐藏字段的值不会传递给我的邮件文件.您也可以尝试我的网站http://www.zoosh.me/tellafriend.php上的表格在PHP中有错误或我的文件有什么问题吗？我真的很感谢你们的帮助.

谢谢,Ovi

<form id="tellafriend" method="post" action="mail.php">
 <fieldset>
  <img id="telllogo" width="170" alt="Logo" src="/perch/resources/1253956138myself-w170.jpg"/>
  <input width="170" type="hidden" alt="Logo" value="/perch/resources/1253956138myself-w170.jpg" name="logo"/>
  <input type="hidden" value="http://www.zoosh.me" name="webaddress"/>
  <ul class="wrapper">
   <li>
    <label class="label" for="yourname">Your Name:</label>
    <input id="yourname" class="text jquery-live-validation-on invalid" type="text" value="" name="yourname"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="youremail">Your Email:</label>
    <input id="youremail" class="text jquery-live-validation-on invalid" type="text" value="" name="youremail"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="friendsname">Friend's Name:</label>
    <input id="friendsname" class="text jquery-live-validation-on invalid" type="text" value="" name="friendsname"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="friendsemail">Friend's Email:</label>
    <input id="friendsemail" class="text jquery-live-validation-on invalid" type="text" value="" name="friendsemail"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li>
    <label for="message">
     Your Message
     <br/>
     <small id="charLeft">150 Characters left</small>
    </label>
    <textarea id="message" class="jquery-live-validation-on invalid" cols="10" rows="3" name="message"/>
    <img alt="Invalid" src="images/invalid.png"/>
   </li>
   <li class="inputSubmit">
    <input id="submit" class="submit" type="submit" value="Send"/>
   </li>
  </ul>
  <input type="hidden" value="ovime@ovidiust.com" name="adminaddress"/>
 </fieldset>
</form>

以下是mail.php文件的代码,该文件处理表单并向访问者的朋友发送电子邮件.

<?php
$yourname = $_POST['yourname'];
$youremail = $_POST['youremail'];
$news = $_POST['news'];
$friendsname = $_POST['friendsname'];
$friendsemail = $_POST['friendsemail'];
$adminemail = $_POST['adminemail'];
$logo = $_POST['logo'];
$webaddress = $_POST['webaddress'];
$subject = "I've found a great website!";
$headers = "From: " . strip_tags($from) . "\r\n";
$headers .= "Reply-To: " . strip_tags($from) . "\r\n";
$headers .= "BCC: contact@handinhandwithgod.com\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";

$message = $_POST['message'];


$body="<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
<title>Zoosh</title>
</head>
<body>
<table width='90%' cellpadding='0' cellspacing='0'>
<tr>
<td align='center' valign='top'>
 <table width='411' cellpadding='0' cellspacing='0'>
  <tr>
   <td><img src='http://recycledoc.com/emails/zoosh_tellafriend/tdbg.png' width='1' height='450' alt='Tdbg'></td>
   <td background='http://recycledoc.com/emails/zoosh_tellafriend/tellafriendbg.jpg' valign='top' style='padding-top:20px; padding-right:20px; padding-bottom:20px; padding-left:20px;'>
    <table width='370' cellpadding='0' cellspacing='0'>
     <tr>
      <td valign='top' width='170' style='padding-right:10px'><img src='"
      . $webaddress . $logo . "' />
      </td>
      <td valign='top' width='190' style='font-family:Helvetica,Arial,Verdana,sans-serif; font-size:12px; color:#555;'>
       <p style='margin-top:0; margin-bottom:0;'>
        <span style='font-weight:bold;'>From:</span>" . $yourname .         "<br>
        <span style='font-weight:bold;'>Email:</span> <a style='text-decoration:none; color:#6927B2;' href='mailto:" . $youremail . "'>" . $youremail . "</a></p>
       <p style='padding-top:200px;'>" . $message .

       "</p>
       <a href='" . $webaddress . "'><img src='http://recycledoc.com/emails/zoosh_tellafriend/visit.png' width='120' height='20' alt='Visit'></a>
      </td>
     </tr>
    </table>
   </td>
  </tr>
 </table>
</td>
</tr>
</table>

</body>
</html>";

if (mail($friendsemail, $subject, $body, $headers)) {
echo "Thank you for telling your friend about my website. <a href='#' id='goback'>Click here</a> to tell another friend.";
} else {
echo "Sorry. There was a problem sending your email. Please try again!";
}

mail($adminemail, $subject, $body, $headers);
mail($youremail, $subject, $body, $headers);

Answer 1

您正在规避表单的正常提交过程并通过AJAX提交:

data: 'yourname=' + yourname + '&youremail=' + youremail + '&friendsname=' + friendsname + '&friendsemail=' + friendsemail + '&message=' + message,

这不包括徽标,webaddress或adminaddress,所以当然他们没有到达PHP脚本.

此外,您没有正确地转义这些值,因此如果有人在其中一个字段中包含"&"或其他特殊字符,它将会中断.使用encodeURIComponent,或者,因为你正在使用jQuery的ajax函数,只需传递一个查找,让jQuery为你处理:

data: {'yourname': yourname, ...

还有更多这样的逃避问题.

$headers = "From: " . strip_tags($from) . "\r\n";

Strip_tags在这里没用.邮件标题是纯文本; HTML标签没有特殊含义.然而,危险的是新线.这将允许攻击者将他们喜欢的任何标题添加到邮件中,甚至可能发送多个完全由攻击者控制的邮件.

你应该强烈清理你要放在邮件标题中的任何东西; 特别是非ASCII和控制字符必须被剥离.

  <td valign='top' width='170' style='padding-right:10px'><img src='"
  . $webaddress . $logo . "' />

HTML注入.$ webaddress和$ logo可以包含引号,允许攻击者插入任意HTML和JavaScript代码.你需要htmlspecialchars($s, ENT_QUOTES)每一个你把文本转换成HTML的时间.

允许用户选择任何webaddress,logo,adminaddress等也是危险的.这是给垃圾邮件发送者的礼物:他们将提交自己的数据和消息,劫持你的webform以"告诉朋友"他们自己的阴茎药丸而不是,并使您的服务器被广泛阻止.如果你必须有一个"告诉朋友"功能,你需要真正锁定允许的参数; 只是把它们放在一个隐藏的领域是没有保护.