【问题标题】:Check the security of form.检查表格的安全性。
【发布时间】:2014-05-19 12:00:38
【问题描述】:

我的帐户因垃圾邮件多次被暂停,我的主机提供商告诉我检查我的网站安全性。可能是我的表格不够安全。你认为这个表单可以用来发送垃圾邮件吗?

这是我的代码:

<script type="text/javascript">
$(document).ready(function () {
    $('#form').ajaxForm({
        beforeSubmit: validate
    });

    function validate(formData, jqForm, options) {
        var name = $('input[name=name]').fieldValue();
        var email = $('input[name=email]').fieldValue();
        var company = $('input[name=company]').fieldValue();
        var location = $('input[name=location]').fieldValue();
        var phone = $('input[name=phone]').fieldValue();
        var message = $('textarea[name=message]').fieldValue();

        if (!name[0]) {
            alert('Please enter your name');
            return false;
        }
        if (!company[0]) {
            alert('Please enter the name of your organization');
            return false;
        }
        if (!email[0]) {
            alert('Please enter your e-mail address');
            return false;
        }
        if (!phone[0]) {
            alert('Please enter your phone number');
            return false;
        }
        if (!location[0]) {
            alert('Please enter your location');
            return false;
        }
        if (!message[0]) {
            alert('Please enter your message');
            return false;
        }

        else {

        $("#form").fadeOut(1000, function () {
            $(this).html("<img src='note.png' style='position: relative;margin: 0 auto;width: 500px;left: 20px;top: 30px;'/>").fadeIn(2000);
        });

        var message = $('textarea[name=message]').val('');
        var name = $('input[name=name]').val('');
        var email = $('input[name=email]').val('');
        var phone = $('input[name=phone]').val('');
        var company = $('input[name=company]').val('');
        var location = $('input[name=location]').val('');

            } 
    }

});

</script>

html:

<form id="form" method="post" name="form" action="send.php">

<input id="name" type="text" name="name"/>

<input id="company" type="text" name="company"/>

<input id="email" type="text" name="email"/>

<input id="phone" type="text" name="phone"/>

<input id="location" type="text" name="location"/>

<textarea name="message" id="message" rows="10"></textarea>

<input class="submit" type="submit" value="send" name="submit"></input>

</form>

php:

<?php
        if($_POST){
                $email = $_POST['email'];
                $name = $_POST ['name'];
                $company = $_POST ['company'];
                $phone = $_POST ['phone'];
                $location = $_POST ['location'];
                $message = $_POST ['message'];

                // response hash
                $ajaxresponse = array('type'=>'', 'message'=>'');

                try {
                        // do some sort of data validations, very simple example below
                        $all_fields = array('name', 'email', 'message');
                        filter_var($email, FILTER_VALIDATE_EMAIL);

                        foreach($all_fields as $field){
                                if(empty($_POST[$field])){
                                        throw new Exception('Required field "'.ucfirst($field).'" missing input.');
                                }
                        }

                        // ok, if field validations are ok
                        // now Send Email, ect.

                        // let's assume everything is ok, setup successful response
                        $subject = "Someone has contacted you";
                        //get todays date
                        $todayis = date("l, F j, Y, g:i a") ;

                        $message = " $todayis \n
                        Attention: \n\n
                        Please see the message below: \n\n
                        Email Address: $email \n\n
                        Organization: $company \n\n
                        Phone: $phone \n\n
                        Location: $location \n\n
                        Name: $name \n\n
                        Message: $message \n\n

                        ";

                        $from = "From: $email\r\n";


                        //put your email address here
                        mail("...@yahoo.com", $subject, $message, $from);

                        //prep json response
                        $ajaxresponse['type'] = 'success';
                        $ajaxresponse['message'] = 'Thank You! Will be in touch soon';  
                } catch(Exception $e){
                        $ajaxresponse['type'] = 'error';
                        $ajaxresponse['message'] = $e->getMessage();
                }
                // now we are ready to turn this hash into JSON
                print json_encode($ajaxresponse);
                exit;
        }
?>

非常感谢!

【问题讨论】:

标签: javascript php forms security spam


【解决方案1】:

尝试使用此Spam Checker。 用 Java 编写的有用程序,它使用 DNS 查找来查找垃圾邮件 IP 地址。希望对您有所帮助。

【讨论】:

    【解决方案2】:

    从上面的建议中获取线索,我只是提供了一个现成的代码供您使用。

    HTML

    <form id="form" method="post" name="form" action="send.php">
    
    <input id="name" type="text" name="name"/>
    
    <input id="company" type="text" name="company"/>
    
    <input id="email" type="text" name="email"/>
    
    <input id="checkbot" type="hidden" name="timestamp" value="" />
    
    <input id="phone" type="text" name="phone"/>
    
    <input id="location" type="text" name="location"/>
    
    <textarea name="message" id="message" rows="10"></textarea>
    
    <input class="submit" type="submit" value="send" name="submit"></input>
    
    </form>
    

    Javascript

    <script type="text/javascript">
    $(document).ready(function () {
        /*Set current time on the hidden field.*/
        $('#checkbot').val($.now());
    
        $('#form').ajaxForm({
            beforeSubmit: validate
        });
    
        function validate(formData, jqForm, options) {
            var name = $('input[name=name]').fieldValue();
            var email = $('input[name=email]').fieldValue();
            var company = $('input[name=company]').fieldValue();
            var location = $('input[name=location]').fieldValue();
            var phone = $('input[name=phone]').fieldValue();
            var message = $('textarea[name=message]').fieldValue();
    
            if (!name[0]) {
                alert('Please enter your name');
                return false;
            }
            if (!company[0]) {
                alert('Please enter the name of your organization');
                return false;
            }
            if (!email[0]) {
                alert('Please enter your e-mail address');
                return false;
            }
            if (!phone[0]) {
                alert('Please enter your phone number');
                return false;
            }
            if (!location[0]) {
                alert('Please enter your location');
                return false;
            }
            if (!message[0]) {
                alert('Please enter your message');
                return false;
            }
    
            else {
    
            $("#form").fadeOut(1000, function () {
                $(this).html("<img src='note.png' style='position: relative;margin: 0 auto;width: 500px;left: 20px;top: 30px;'/>").fadeIn(2000);
            });
    
            var message = $('textarea[name=message]').val('');
            var name = $('input[name=name]').val('');
            var email = $('input[name=email]').val('');
            var phone = $('input[name=phone]').val('');
            var company = $('input[name=company]').val('');
            var location = $('input[name=location]').val('');
    
                } 
        }
    
    });
    
    </script>
    

    PHP

    <?php
            if($_POST){
                    $email = $_POST['email'];
                    $name = $_POST ['name'];
                    $company = $_POST ['company'];
                    $phone = $_POST ['phone'];
                    $location = $_POST ['location'];
                    $message = $_POST ['message'];
                    $checkbot = $_POST['timestamp'];
                    $time_diff = time() - $checkbot;
    
                    //If Time difference is less than 15 sec it's a bot
                    if($time_diff < 15){
                    exit;
                    }
    
    
                    // response hash
                    $ajaxresponse = array('type'=>'', 'message'=>'');
    
                    try {
                            // do some sort of data validations, very simple example below
                            $all_fields = array('name', 'email', 'message');
                            filter_var($email, FILTER_VALIDATE_EMAIL);
    
                            foreach($all_fields as $field){
                                    if(empty($_POST[$field])){
                                            throw new Exception('Required field "'.ucfirst($field).'" missing input.');
                                    }
                            }
    
                            // ok, if field validations are ok
                            // now Send Email, ect.
    
                            // let's assume everything is ok, setup successful response
                            $subject = "Someone has contacted you";
                            //get todays date
                            $todayis = date("l, F j, Y, g:i a") ;
    
                            $message = " $todayis \n
                            Attention: \n\n
                            Please see the message below: \n\n
                            Email Address: $email \n\n
                            Organization: $company \n\n
                            Phone: $phone \n\n
                            Location: $location \n\n
                            Name: $name \n\n
                            Message: $message \n\n
    
                            ";
    
                            $from = "From: $email\r\n";
    
    
                            //put your email address here
                            mail("...@yahoo.com", $subject, $message, $from);
    
                            //prep json response
                            $ajaxresponse['type'] = 'success';
                            $ajaxresponse['message'] = 'Thank You! Will be in touch soon';  
                    } catch(Exception $e){
                            $ajaxresponse['type'] = 'error';
                            $ajaxresponse['message'] = $e->getMessage();
                    }
                    // now we are ready to turn this hash into JSON
                    print json_encode($ajaxresponse);
                    exit;
            }
    ?>
    

    【讨论】:

      【解决方案3】:

      您的表单实际上对机器人不安全,因为您没有任何验证码或其他东西。

      为您提供 2 个选项:

      1. 验证码

      Captcha -> 你有一些东西要填写 -> 你可能知道这个!:)

      https://www.google.com/recaptcha

      1. 蜜罐

      蜜罐意味着,您正在表单中添加隐藏字段。如果这些隐藏字段发生了变化 - 您知道 BOT 已经在您的表单中输入了内容。同样,这比验证码更好,因为您的用户不必填写验证码

      我更喜欢 Honeypot,因为我不喜欢表单,当我失败或验证码不可读时,我必须填写一次甚至两次验证码。

      http://haacked.com/archive/2007/09/11/honeypot-captcha.aspx/

      【讨论】:

      • 谢谢!我将使用蜜罐。这是个好主意。我过去每天都会通过这个表格收到数百封垃圾邮件,但我认为这并不重要,因为它只会发送到我的垃圾雅虎电子邮件地址。他们是否设法通过我的表单邮件发送到其他地址或我的雅虎电子邮件地址将我的网站注册为垃圾邮件?再次感谢
      • 不,应该不可能向您的其他电子邮件地址发送电子邮件,因为您在代码中硬编码了目标电子邮件。
      【解决方案4】:

      理论上它可以用来发送垃圾邮件,因为只检查字段是否有值,只要字段有值,它不关心输入是人还是机器人。您可以通过添加验证码 (http://www.captcha.net/) 来提高安全性,以验证填写您的表单的个人是否是人。

      【讨论】:

        【解决方案5】:
        1. 我有一个简单的方法来阻止垃圾邮件发送者,至少根据我的经验,它是 100% 有效的,并且避免使用 reCAPTCHA 和类似方法。实施这种方法后,在过去 5 年中,我的一个网站的 html 表单中的每天近 100 封垃圾邮件减少到了零。

        2. 我所做的另一个选择是使用隐藏字段并将时间戳放在上面,然后与 PHP 端的时间戳进行比较,如果它快于 15 秒(取决于大小或小是你的表格)那是一个机器人......

        【讨论】:

        • 只是好奇,可能有很多人同时发送,那么第二个选项不会拒绝其他人的请求吗?
        • 通常情况下,这称为蜜罐 -> 但你不带时间戳来检查,但你检查字段的值。用户无法更改隐藏字段。机器人可以
        猜你喜欢
        • 1970-01-01
        • 1970-01-01
        • 2021-05-15
        • 1970-01-01
        • 2015-07-12
        • 2017-02-25
        • 2012-07-10
        • 2013-05-13
        • 2010-12-11
        相关资源
        最近更新 更多