问题
New to PHP, but making new progress. I have a contact form that will send an email after it has been submitted by the user. Now I want to make this form better, by stripping out bad characters, or anything that could potentially wreck an email. The email will be read by me, so I could technically browse through all the spam, but I don't want to. I want a clean email coming in for documentation purposes.
I am using the $_POST array, here is the HTML for the contact form:
<form class="form" method="post" action="contact.php">
<p class="name">
<input type="text" name="name" id="name" />
<label for="name">Name</label>
</p>
<p class="email">
<input type="text" name="email" id="email" />
<label for="email">E-mail</label>
</p>
<p class="web">
<input type="text" name="web" id="web" />
<label for="web">Website</label>
</p>
<p class="telephone">
<input type="text" name="telephone" id="telephone" />
<label for="telephone">Telephone</label>
</p>
<p class="question">Preferred Contact Method</p>
<p id="preferred_question">
<input type="radio" name="contact_option" class="telephone_opt" value="Telephone" />
<label for="telephone_opt">Telephone</label><br />
<input type="radio" name="contact_option" class="email_opt" value="Email" />
<label for="email_opt">Email</label></p>
<p class="question">Describe what you need..</p>
<p class="text">
<textarea name="text"></textarea>
</p>
<p class="submit">
<input type="submit" value="Send" />
</p>
</form>
Here is my contact.php (form action file)
<?php
$msg = "Name: " . $_POST['name'] . "<br />";
$msg .= "Email: " . $_POST['email'] . "<br />";
$msg .= "Website: " . $_POST['web'] . "<br />";
$msg .= "Telephone: " . $_POST['telephone'] . "<br />";
$msg .= "Preferred Contact Method: " . $_POST['contact_option'] . "<br />";
$msg .= "Customer Needs: " . $_POST['text'];
$recipient = "support@mysite.com";
$subject = "Contact Has Been Made..";
$mailheaders = "MIME-Version: 1.0" . "\r\n";
$mailheaders .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
$mailheaders .= "From: <support@mysite.com>" . "\r\n";
mail($recipient, $subject, $msg, $mailheaders);
echo "Thank You!";
?>
回答1:
Try this function as a good starting point:
function cleanInput($input) {
// Pass the $_GET, $_POST or $_REQUEST array
$output = array();
foreach ($input as $key=>$value) {
$o = $value;
// Make sure it's within the max length
$o = substr($o,0,256);
// Tidy up line breaks
$o = preg_replace('/\n{2,}/', "\n\n", $o);
$o = nl2br($o,FALSE);
// Strip any odd characters
$o = preg_replace('/[^A-Za-z0-9\. -\!\?\(\)\<\>\@]/', "", $o);
// Put the data back in the array
$output[$key] = $o;
}
// Return the array
return $output;
}
Usage: $post = cleanInput($_POST);
Then replace the $_POSTs with $post: $_POST['name'] would become $post['name'].
回答2:
First of all, you might wanna think about filtering theses datas with the filter_input function ( http://php.net/manual/en/function.filter-input.php ). A little security update ;) You can striptags ( http://ca1.php.net/manual/en/function.strip-tags.php ) allowing only the wanted TAGS, you can also think about addslahes() or stripslashes() to remove or add "\". Finally, you might want to encode the text properly (utf-8?) in order to see all special characters using htmlentities ( http://php.net/manual/en/function.htmlentities.php ). I myself use htmlentities (utf-8) and strip_tags() to send custom emails! Hope this helped
回答3:
It looks like besides a blanket filter for all values, you're looking for input validation. Here's a function for email validation. This uses regular expressions. I'm not going to write the code for all your requirements, but you can use this to start from.
function checkEmail($email) {
if (!preg_match('/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/' , $email)) {
return false;
}
return true;
}
回答4:
Sure thing, check out this simple little tutorial:
http://www.stemkoski.com/php-remove-non-ascii-characters-from-a-string/
Modify this to replace any character you want. Honestly, to the best of my ability this answers what I think you're asking. But if not, just do a google search, this question is pretty basic.
If you meant you want field validation, (so you'll only accept specifically formatted data), just do a quick search on it and you'll find great resources. Heres a whole tutorial that may be just what you need: http://buildinternet.com/2008/12/how-to-validate-a-form-complete-with-error-messages-using-php-part-1/
These two solutions probably gotcha covered :)
回答5:
you can use this function:
function sanitize($data){
$data= htmlentities(strip_tags(trim($data)));
$search = array('@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments including CDATA
);
$data = preg_replace($search, '', $data);
return $data;
}
回答6:
I took in alot of what you all told me and put something together from all of your answers.
Here is what I went with:
<?php
// Sanitize the data so its nice and clean..
function sanitize($data) {
$data = strip_tags(trim($data));
$search = array('/[^A-Za-z0-9\. -\!\?\(\)\<\>\@]/');
$data = preg_replace($search, '', $data);
return $data;
}
$msg = "Name: " . sanitize($_POST['name']) . "<br />";
$msg .= "Email: " . sanitize($_POST['email']) . "<br />";
$msg .= "Website: " . sanitize($_POST['web']) . "<br />";
$msg .= "Telephone: " . sanitize($_POST['telephone']) . "<br />";
$msg .= "Preferred Contact Method: " . sanitize($_POST['contact_option']) . "<br />";
$msg .= "Customer Needs: " . sanitize($_POST['text']);
$recipient = "support@mywebsite.com";
$subject = "Contact Has Been Made..";
$mailheaders = "MIME-Version: 1.0" . "\r\n";
$mailheaders .= "Content-type:text/html;charset=UTF-8" . "\r\n";
$mailheaders .= "From: <support@mywebsite.com>" . "\r\n";
// Mail the message..
mail($recipient, $subject, $msg, $mailheaders);
echo "Thank you for your email!<br/><br/>";
?>
来源:https://stackoverflow.com/questions/19167432/strip-bad-characters-from-an-html-php-contact-form