Sanitize the post variable with filter_var().

用 清理 post 变量filter_var()。

Example here. Like:

示例在这里。喜欢：

echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);   

Since you're not building an SQL query or anything here, the only relevant validation that I can see for those inputs is an email validation for $_POST["email"], and maybe an alphanumeric filter on the other fields if you really want to limit the scope of what the message can contain.

由于您没有在此处构建 SQL 查询或任何内容，因此对于这些输入，我可以看到的唯一相关验证是 $_POST["email"] 的电子邮件验证，如果您真的需要，还可以在其他字段上使用字母数字过滤器限制消息可以包含的范围。

To filter the email address, simply use filter_var:

要过滤电子邮件地址，只需使用filter_var：

$email = filter_var($email, FILTER_SANITIZE_EMAIL);

As per Frank Farmer's suggestion, you can also filter out newlines in the email subject:

根据 Frank Farmer 的建议，您还可以过滤掉电子邮件主题中的换行符：

$subject = str_replace(array("\r","\n"),array(" "," "),$subject);

As others have noted, filter_varis great. If it's not available, add this to your toolchest.

正如其他人所指出的那样，filter_var很棒。如果它不可用，请将其添加到您的工具箱中。

The $headersvariable is particularly bad security-wise. It can be appended to and cause spoofed headers to be added. This post called Email Injectiondiscusses it pretty well.

该$headers变量在安全方面尤其糟糕。它可以附加到并导致添加欺骗标题。这篇名为电子邮件注入的帖子对此进行了很好的讨论。

filter_var is great, but another way to assure that something is an email address and not something bad is to use an isMail()function. Here's one:

filter_var i很好，但另一种确保某些东西是电子邮件地址而不是坏东西的方法是使用isMail()函数。这是一个：

function isEmail($email) {
    return preg_match('|^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]{2,})+$|i', $email);
};

So to use this, you could do:

所以要使用它，你可以这样做：

if (isset($_POST['email']) && isEmail($_POST['email'])) {
    $email = $_POST['email'] ;
} else {
    // you could halt execution here, set $email to a default email address
    // display an error, redirect, or some combination here,
}

In terms of manual validation, limiting the length using substr(), running strip_tags()and otherwise limiting what can be put in.

在手动验证方面，限制使用substr()、运行strip_tags()和以其他方式限制可以放入的内容的长度。

You need to remove any newlines from input provided by users in $headers, which gets passed to mail() ($email in your case)! See Email injection.

您需要从 $headers 中用户提供的输入中删除任何换行符，这些输入将传递给 mail() （在您的情况下为 $email ）！请参阅电子邮件注入。

PHP should take care of sanitizing $to and $subject, but there are versions of PHP with bugs (Affected are PHP 4 <= 4.4.6 and PHP 5 <= 5.2.1, see MOPB-34-2007).

PHP 应该负责清理 $to 和 $subject，但有些版本的 PHP 存在错误（受影响的是 PHP 4 <= 4.4.6 和 PHP 5 <= 5.2.1，请参阅MOPB-34-2007）。

You can use the code from artlung's answer above to validate email..

您可以使用artlung上面的答案中的代码来验证电子邮件..

I use this kind of code to prevent header injection ..

我使用这种代码来防止头注入..

// define some mail() header's parts and commonly used spam code to filter using preg_match
$match = "/(from\:|to\:|bcc\:|cc\:|content\-type\:|mime\-version\:|subject\:|x\-mailer\:|reply\-to\:|\%0a|\%0b)/i";

// check if any field's value containing the one or more of the code above
if (preg_match($match, $name) || preg_match( $match, $message) || preg_match( $match, $email)) {

// I use ajax, so I call the string below and send it to js file to check whether the email is failed to send or not
echo "failed";

// If you are not using ajax, then you can redirect it with php header function i.e: header("Location: http://example.com/anypage/");

// stop the script before it reach or executing the mail function
die();

}

The mail()'s header filtering above is too strict, since some users may be using the filtered strings in their message without any intention to hiHyman your email form, so redirect it to a page that is explaining what kind of strings that is not allowed in the form or explain it on your form page.

本mail()的头球攻门高出滤波过于严格，因为一些用户可能会使用他们的信息过滤的字符串没有任何意图劫持你的电子邮件的形式，所以它重定向到一个网页，是解释串什么样未在允许的表单或在您的表单页面上解释它。