I understand that the topic has been traveled far and wide, but something all my references to Google are reduced to the description of the mail function.
Can throw ideas how to more reliably protect the form on the site. What checks and manipulations to do with the data (not saved to the database, just sending form field values to mail)?
How to check that the form was sent from the pages of our site.
I understand that checking for emptiness, clipping spaces and html tags is the minimum minimum.
MSDN.WhiteKnight
14k 5 gold signs 26 silver marks 56 bronze marks
pepel_xD pepel_xD
477 1 golden mark 7 silver marks 25 bronze marks
|
1 answer
For starters, the most appropriate option would be to use not the mail () function, but libraries (I recommend PHPMailer — incredibly easy to use) or the framework tools (if you use it).
Regarding the form on the site do not worry much. The only thing you have to give on your website is the field where the user enters the title of the appeal, and the field where he enters the message itself. Then these two fields are sent to your server and there you already prepare this data and send your email to some kind of email. You can even send yourself letters, such as example@site.ru => example@site.ru
Actually, the preparation of the data that you send in the letter is also simple. First of all, check whether all fields are filled in (for example, the function empty () ). Then just run the fields through the trim () functions (remove spaces and line breaks from both ends of the text) and htmlspecialchars () converts all specials. characters in the HTML entity, so if someone wants to send you HTML, then in the letter you will see HTML as it is, i mean donuts will be written <b>пончики</b> . In principle, you can also pass the parameter ENT_QUOTES to the last function, so that in addition to tags, it also converts quotes.
Well, that's it. It is not necessary to check where the letter came from, because if you don’t shine the box to which you send the letter, then no one will know about it. But if you really want to, you can just finish writing something like "Sent from the site sitename.ru" at the end of the letter - no one can know about the existence of this registry. But this is, in fact, a wild bike and I do not think that anyone even checks where the letter was written.
neluzhin neluzhin
2,485 1 golden mark 8 silver marks 23 bronze marks
- ATP for the answer, but still I think to check whether the form was sent from the pages of our site is not superfluous, as I think it will exclude all kinds of robots. - pepel_xD
- In PHP, you only send a letter, everything else is your email server care. As I wrote, if you need this “check” for some reason, you can simply add something in the letter. If a person finds out your email address, in any case he will be able to send an email to him, no matter how you would like. - neluzhin
|