PHP联系人表单验证/ URL问题
PHP联系人表单验证/ URL问题
提问于 2018-07-01 04:36:44
我有一个带验证的php联系人表单,但我设置了我的.htaccess,这样它就把.php从url中剥离出来,这样url看起来就更干净了(就像wp url一样)。这个表单工作得很好,除了当用户犯了一个验证错误并按下“提交”时,表单可以正常验证,但是它会重新加载带有.php扩展名的url,所以如果他们修复了错误并再次提交,我的“外部url”黑客php代码就会生效,并且不会发送表单,因为url不再匹配。
如何在没有页面“重载”的情况下执行验证,或者在url中没有.php扩展名的情况下进行验证和重载??
PHP:
<?php
// define variables and set to empty values
$nameErr = $fromErr = $messageErr = $subjectErr = $phoneErr = $verif_boxErr = "";
$inquiries = $name = $from = $subject = $message = $verif_box = "";
$errors = 0;
if ($_SERVER["REQUEST_METHOD"] == "POST") { //check if form has been submitted
//Get the inquiries field
$inquiries =$_POST['inquiries'];
if (empty($_POST["name"])) {
$nameErr = " * Name is missing";
$errors = 1;
echo '<style type="text/css"> input#name {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$name = test_input($_POST["name"]);
// check if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z ]*$/", $name)) {
$nameErr = "Only letters and white space allowed";
$errors = 1;
echo '<style type="text/css"> input#name {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
}
}
if (empty($_POST["from"])) {
$fromErr = " * Email is missing";
$errors = 1;
echo '<style type="text/css"> input#from {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$from = test_input($_POST["from"]);
// check if e-mail address is well-formed
if (!filter_var($from, FILTER_VALIDATE_EMAIL)) {
$fromErr = "Invalid email format";
$errors = 1;
echo '<style type="text/css"> input#from {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
}
}
if (empty($_POST["subject"])) {
$subjectErr = " * Subject is missing";
$errors = 1;
echo '<style type="text/css"> input#subject {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$subject = test_input($_POST["subject"]);
}
if (empty($_POST["message"])) {
$messageErr = " * Message is missing";
$errors = 1;
echo '<style type="text/css"> textarea#message {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$message = test_input($_POST["message"]);
}
if (empty($_POST["verif_box"])) {
$verif_boxErr = " * Security code is missing";
$errors = 1;
echo '<style type="text/css"> input#verif_box {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
} else {
$verif_box = test_input($_POST["verif_box"]);
if (md5($verif_box) . 'a4xn' <> $_COOKIE['tntcon']) {
$verif_boxErr = " * Security code does not match";
$errors = 1;
echo '<style type="text/css"> input#verif_box {border: 1px solid #F00; box-shadow: 0px 0px 5pt .1pt #F00 inset;}</style>';
}
}
if ($errors == 0) { // all fields successfullty validated. final hack check before sending email:
// Stop the form being used from an external URL
$referer = $_SERVER['HTTP_REFERER'] . ".php"; // Get the referring URL
$this_url = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER["REQUEST_URI"]; // Get the URL of this page
// If the referring URL and the URL of this page don't match then
// display a message and don't send the email.
if ($referer != $this_url) {
echo "You do not have permission to use this script from another URL, nice hacking attempt moron.";
exit;
} else { // send the email
$message = "Subject: " . $subject . "\n\nMessage: " . $message;
$message = "Inquiry: " . $inquiries . "\n" . $message;
$message = "Name: " . $name . "\n" . $message;
$message = "From: " . $from . "\n" . $message;
mail("milkytech@gmail.com", 'ContactUs: ' . $subject, $_SERVER['REMOTE_ADDR'] . "\n\n" . $message, "From: Contact@AntiqueCafeBakery.com");
setcookie('tntcon', ''); // delete the cookie so it cannot sent again by refreshing this page
header('Location: success'); // redirect to success page
exit();
}
}
}
function test_input($data)
{
$data = trim($data); // strip unnecessary characters (extra space, tab, newline) from the user input data
$data = stripslashes($data); // remove backslashes (\) from the user input data
$data = htmlspecialchars($data); // pass all variables through PHP's htmlspecialchars() function
return $data;
}
?>HTML:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" id="contactform">
<div>
<label for="name"><strong>Inquries:</strong></label>
<select name="inquiries" id="inquiries">
<option value="Catering">Catering</option>
<option value="Cookie Gift Tins">Cookie Gift Tins</option>
<option value="Retail Stores">Retail Stores</option>
<option value="Employment">Employment</option>
<option value="Investment">Investment</option>
</select>
</div>
<div>
<label for="name"><strong>Name:</strong></label>
<input type="text" size="50" name="name" id="name" value="<?php echo $name;?>"/><span class="error"><?php echo $nameErr;?></span>
</div>
<div>
<label for="email"><strong>Email:</strong></label>
<input type="text" size="50" name="from" id="from" value="<?php echo $from;?>"/><span class="error"><?php echo $fromErr;?></span>
</div>
<div>
<label for="subject"><strong>Subject:</strong></label>
<input type="text" size="50" name="subject" id="subject" value="<?php echo $subject;?>" />
</div>
<div>
<label for="message"><strong>Message:</strong></label>
<textarea rows="5" cols="69" name="message" id="message"><?php echo $message;?></textarea>
</div>
<div id="verif">
<span>Captcha Code:</span>
<input name="verif_box" type="text" size="10" id="verif_box"/>
<img id="imageid" class="verifbox" src="verificationimage.php?<?php echo rand(0,9999);?>" alt="verification image, type it in the box" />
<input type="button" value="Reload Captcha" id="reload" onclick="reloadImg()" />
<span class="error"><?php echo $verif_boxErr;?></span>
</div>
<div>
<input type="submit" value="Send Message" name="submit" />
<br /><br />
</div> <!--end form-->
</form>回答 1
Stack Overflow用户
发布于 2018-07-01 04:53:12
删除要在自我页面上提交的操作值。
<form method="post" action="" id="contactform">我希望这能行得通
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/51118307
复制相关文章
相似问题