?? ??? ??
PHP ?? ??? ??
? ???? PHP? ???? ?????? ??? ?? ???? ???? ??? ?????.
PHP ??? ?? ?? ??? ???? ???.
? ???? ??? ??? ???? ?? PHP ?? ???? ?? ??? ?????. ??? ?? ??? ?? ??? ???? ???.
? ?? ??? HTML ???? ?? ?? ??? ???? ????. ??? ??? ??, ??? ?? ? ?? ??? ??? ???.
<!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title>php.cn</title> <style> .error {color: #FF0000;} </style> </head> <body>
<?php // 定義變量并默認(rèn)設(shè)置為空值 $nameErr = $emailErr = $genderErr = $websiteErr = ""; $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { if (empty($_POST["name"])) { $nameErr = "名字是必需的"; } else { $name = test_input($_POST["name"]); // 檢測名字是否只包含字母跟空格 if (!preg_match("/^[a-zA-Z ]*$/",$name)) { $nameErr = "只允許字母和空格"; } } if (empty($_POST["email"])) { $emailErr = "郵箱是必需的"; } else { $email = test_input($_POST["email"]); // 檢測郵箱是否合法 if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) { $emailErr = "非法郵箱格式"; } } if (empty($_POST["website"])) { $website = ""; } else { $website = test_input($_POST["website"]); // 檢測 URL 地址是否合法 if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$website)) { $websiteErr = "非法的 URL 的地址"; } } if (empty($_POST["comment"])) { $comment = ""; } else { $comment = test_input($_POST["comment"]); } if (empty($_POST["gender"])) { $genderErr = "性別是必需的"; } else { $gender = test_input($_POST["gender"]); } } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?>
?? ?? HTML ?? ??? ???????.
??? ??
"名字", "E-mail", 及"網(wǎng)址"字段為文本輸入元素,"備注"字段是 textarea。HTML代碼如下所示: “名字”: <input type="text" name="name"> E-mail: <input type="text" name="email"> 網(wǎng)址: <input type="text" name="website"> 備注: <textarea name="comment" rows="5" cols="40"></textarea>
??? ??
"??" ??? ??? ???? HTML ??? ??? ????.
??:
<input type="radio" name="gender" value="female">??
<input type= "radio" ?? ="gender" value="male">Male
Form ??
HTML ? ??? ??? ????. ??>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">? ??? method="? ?????. post' ???? ???? ???? ?????.
$_SERVER["PHP_SELF"]? ?? ?? ???? ?? ?? ?????. ?? ?? ?? ????. ?? ??? ??? ?? ?????.
htmlspecialchars() ??? ?? ??? ?? ??? HTML ???? ?????.
> ?? ??? ??? ??? ????.
· &(He)? & amp
· · "(????)? & quot;
? ???. · '(?????)? ??? ????.
·??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ??? ??? ?? ??????
$_SERVER["PHP_SELF"] ??? ??? ??? ? ????. ??? ??? ??? ???? HTTP ??? ???? ??? ?? $_SERVER["PHP_SELF"] ?? ??? ????? ?????. ? ??? ??? ??? ????? ?? ?? ??? ???? ?????. ??? $_SERVER["PHP_SELF"] ????? ???? ?? ?? ?? JavaScript? ?????.XSS? CSS(Cross-Site Script)??? ???. ???? ???? ???? ???? ??? ? ? ???? ?? HTML ??? ???? ?? ???? ???? ???? ???? ???? ??? ??? ???? ?? ?? ??? HTML ??? ?????. >
?? ?? ?? ??? "test_form.php"? ?????.
<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
?? URL? ???? ?? ??? ?????. test_form.php" ", ? ??? ??? ?? ?????.
<form method="post" action="test_form.php">
?????.
??? ???? ???? ?? ???? ?? ??? ????? ?? ?????.
http://miracleart.cn/test_form.php/%22%3E%3Cscript% 3Ealert ('hacked')%3C/script%3E
? URL? ?? ??? ?? ???? ?????:
<form method="post" action="test_form. php/"><script>alert('hacked')</script>
??? ???? ??? ????, ?? ??? ?????. ? Javascript ??? ???? ??? ? ?????(????? ?? ??? ???). ?? ??? PHP_SELF ??? ??? ??? ? ??? ???? ??? ????.
<script> ???? ?? JavaScript ??? ??? ? ????. ??? ?? ??? ???? ?? ??? ????? ? ????. ?? ??? ?? ??? ????? ???? ?? ???? ?? ? ????.
$_SERVER["PHP_SELF"]? ???? ?? ???? ??? ??????
$_SERVER["PHP_SELF"]? htmlspecialchars( ) ?? .
? ??? ??? ????:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> ;
htmlspecialchars() ?? ??? ?? ??? HTML ???? ?????. ?? ???? PHP_SELF ??? ????? ?? ??? ??? ?? ?????.
<form method="post" action="test_form.php/"><script>alert( '???') </script>">
? ???? ????? ??? ??????!
PHP? ???? ?? ??? ??? ??
?? PHP? htmlspecialchars() ??? ?? ???? ??? ?? ???? ?????.
htmlspecialchars() ??? ??? ? ???? ?? ??? ??? ????? ???.
<script>location.href('http://miracleart.cn' )< ;/script>
? ??? ??? ?? HTML ????? ??? ????? ???? ????.
<script>location.href('http: / /miracleart.cn')</script>
? ??? ???? ???? ????? ????? ???? ??? ? ????.
???? ??? ???? ?? ? ?? ??? ?????.
1. PHP Trim() ??? ???? ????? ???? ??(?: ??, ?)? ?????. ?? ???, ??).
2. PHP ??????() ??? ???? ??? ?? ????? ????? ?????()
????, ??? ?? ??? ??? ??? ??? ??? ??? ?????. ??? ??? ????? ?? ??? ? ????.
?? ??? test_input()?? ?????.
?? test_input() ??? ?? $_POST? ?? ??? ??? ? ????. ???? ??? ??? ????.
?
<?php // 定義變量并默認(rèn)設(shè)置為空值 $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { $name = test_input($_POST["name"]); $email = test_input($_POST["email"]); $website = test_input($_POST["website"]); $comment = test_input($_POST["comment"]); $gender = test_input($_POST["gender"]); } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?>
? ????? ?? $_SERVER["REQUEST_METHOD"]? ???? ??? ?????? ??? ?????. REQUEST_METHOD? POST?? ??? ???? ???? ???? ?????. ??? ???? ??? ??? ??? ???? ???? ?????.
1. PHP Trim() ??? ???? ??? ?? ????? ???? ??(?: ??, ?, ? ??)? ?????.
2. PHP ??????() ??? ???? ??? ?? ???()?? ????()? ?????
3. test_input() ??? ???? $_POST? ?? ??? ?????