从检查元素中隐藏 '<input type="hidden" name="userIP" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">'

Question

我有这个 HTML 和 PHP 联系表：

<?php

$valid = true;
$errors = array();
$contact = array(
'name' => null,
'email' => null,
'message' => null
);

// Check if the form has been posted
if (isset($_POST['name'], $_POST['email'], $_POST['message'])) {
$contact = filter_input_array(INPUT_POST, array(
'name'   => FILTER_SANITIZE_STRING,
'email'   => FILTER_SANITIZE_STRING,
'message'   => FILTER_SANITIZE_STRING,
), true);
if (empty($_POST['name'])) {
$valid = false;
$errors['name'] = "You must enter your name.";
}
if (empty($_POST['email'])) {
$valid = false;
$errors['email'] = "You must enter your email address.";
} elseif (!filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) {
$valid = false;
$errors['email'] = "You must enter a valid email address.";
}
if (empty($_POST['message'])) {
$valid = false;
$errors['message'] = "You must enter a message and/or subject.";
}
if ($valid) {
// The email address the email will be sent to
$to = "email@outlook.com";
// The email subject
$subject = $_POST['subject'];
// Set the from and reply-to address for the email
$headers = "From: ".$_POST['email'];
"X-Mailer: PHP/" . phpversion();
// Build the body of the email
$mailbody = "The contact form has been filled out.\n\n"
. "Name: " . $_POST['name'] . "\n"
. "Email: " . $_POST['email'] . "\n"
. "Message:\n" . $_POST['message'] . "\n"
. "IP: " . $_POST['userIP'];
// Send the email
mail($to, $subject, $mailbody, $headers);
// Go to the thank you page
header("location: contact.php");
exit;
}
}
?>

<div id="contactform">
<input type="text" class="field_a" name="name" value="<?php echo htmlspecialchars($contact['name']);?>" placeholder="Enter your name here">
<br>
<br>
<input class="field_a" name="email" type="email" value="<?php echo htmlspecialchars($contact['email']);?>" placeholder="And your email is?">
<br>
<br>
<input class="field_a" name="subject" type="text" value="<?php echo htmlspecialchars($contact['subject']);?>" placeholder="We need to know what your message is about">
<br>
<br>
<textarea class="field_b" name="message" rows="10" cols="25" placeholder="Finally, the message.."><?php echo htmlspecialchars($contact['message']);?></textarea>
<br>
<br>
<input class="field_c" style="width:830px;" name="send_mail" type="submit" value="Ready to send your message to All Things Roblox? Click me!">
<input type="hidden" name="userIP" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">
</div>
</form> 

我使用代码<input type="hidden" name="userIP" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">来获取用户的IP地址，但他们可以通过对该代码段使用inspect元素来轻松防止这种情况。

如何防止 <input type="hidden" name="userIP" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>"> 显示？

再次感谢！

Answer 1

切勿通过客户端传递此类有价值的信息。而是在服务器端本身进行。在服务器端，您可以将有价值的数据发布到其他页面并在那里接收。

在这种情况下，您可以在服务器端 (PHP) 本身使用 <?php echo $_SERVER['REMOTE_ADDR']; ?> 直接获取 IP 地址。无需通过 HTML 传递。

更新

在你的 PHP 代码中，而不是这样做

$mailbody = "The contact form has been filled out.\n\n"
. "Name: " . $_POST['name'] . "\n"
. "Email: " . $_POST['email'] . "\n"
. "Message:\n" . $_POST['message'] . "\n"
. "IP: " . $_POST['userIP'];

这样，你可以直接调用

$mailbody = "The contact form has been filled out.\n\n"
. "Name: " . $_POST['name'] . "\n"
. "Email: " . $_POST['email'] . "\n"
. "Message:\n" . $_POST['message'] . "\n"
. "IP: " . $_SERVER['REMOTE_ADDR'];

因此您可以消除对隐藏字段的需要。