PHP ?? ??? ??

? ???? PHP? ???? ?????? ??? ?? ???? ???? ???? ??? ?????.

??? ?? ????? ????? ?? ??? ??? ???? ???? ???. ???? ??? ??? ? ???? ??? ??? ?????.

??? ??? ??????? ???? ?? ?? ?? ??? ?? ??? ???? ???. ???? ??? ???? ???? ?? ??? ?? ???? ???? ?? ??? ????? ???? ????. ??? ?? ???? ??? ?? ????? ?? ???? ?? ? ????. ???? ??? ?? ?? ? ?? ????.

PHP ??? ??? ?? ??? ???? ???.

? ???? ??? ??? ???? ?? PHP ?? ???? ?? ??? ?????. ??? ?? ??? ?? ??? ???? ???.

PHP ?? ??? ?? ?

QQ圖片20161009114426.png

? ????? ?? ??? ?? ??? ?????.

QQ圖片20161009114556.png

?? ?? ??? ?? HTML ??? ???????.

??? ??

??, ???, ????? ??? ?? ???? ?? ??? ??? ?????. HTML ??? ??? ????.

Name: <input type="text" name="name">
E-mail: <input type="text" name="email">
Website: <input type="text" name="website">
Comment: <textarea name="comment" rows="5" cols="40"></textarea>

??? ??

?? ??? ??? ????. ?? ?? ??? ???? ?? HTML ??? ??? ????.

Gender:
<input type="radio" name="gender" value="female">Female
<input type="radio" name="gender" value="male">Male

?? ??

??? HTML ??? ??? ????.

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

? ??? ???? ?? ???? method="post"? ?? ?????.

$_SERVER["PHP_SELF"] ??? ??????

$_SERVER["PHP_SELF"]? ?? ?? ?? ????? ?? ??? ???? ?? ?? ?????.

??? $_SERVER["PHP_SELF"]? ?? ???? ???? ?? ?? ???? ??? ??? ????. ??? ???? ???? ?? ????? ?? ??? ??? ?? ? ????.

htmlspecialchars() ??? ??????

htmlspecialchars() ??? ?? ??? HTML ???? ?????. ?? < ? >? ?? HTML ??? < ??? ?? ???? HTML ?? JavaScript ??? ??? ???? ??? ???? ?? ??? ? ????(?? ??? ???? ??).

PHP ?? ??? ?? ?? ??

$_SERVER["PHP_SELF"] ??? ??? ?? ??? ? ????!

????? PHP_SELF? ???? ?? ???? ??? ???? XSS(?? ??? ????)? ??? ? ????.

?: XSS(?? ??? ????)? ? ???????? ?? ???? ??? ??? ?? ??????. XSS? ???? ???? ?? ???? ?? ? ???? ????? ? ????? ??? ? ????.

"test_form.php"?? ???? ??? ?? ??? ??? ?????.

?? ???? ?? ???? ?? URL? ???? "http://www. /test_form.php", ? ??? ??? ?? ?????:

????? , ?? ?? ?????.

??? ???? ?? ???? ?? URL? ???? ??:

http://www.miracleart.cn/test_form.php/%22%3E%3Cscript%3Ealert(' php ')%3C/script%3E

? ?? ? ??? ??? ?? ?????.

<form method="post" action="test_form.php "/><script>alert('php')</script>

? ??? ????? ???? ??? ?????. ??? ???? ???? JavaScript ??? ?????(????? ?? ??? ?????). ??? PHP_SELF ??? ??? ??? ? ??? ???? ???? ??? ????.

$_SERVER["PHP_SELF"]? ???? ?? ???? ??? ??????

htmlspecialchars() ??? ???? $_SERVER["PHP_SELF"]? ???? ?? ??? ? ????.

?? ??? ??? ????.

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" > ;

htmlspecialchars() ??? ?? ??? HTML ???? ?????. ?? ???? PHP_SELF ??? ????? ???? ??? ?? ??? ?????.

<form method="post" action="test_form.php/"><script>alert( 'php')< /script>">

??? ? ??? ?? ??? ????!

PHP? ?? ?? ??? ??

?? ?? ?? ? ?? PHP? htmlspecialchars() ??? ?? ?? ??? ???? ????.

htmlspecialchars() ??? ??? ? ???? ???? ??? ????? ?? ??:

< ;script>location.href('http://www.miracleart.cn')</script>

- ??? ?? ??? ??? ???? ????. ??? ?? ????? ??? ?????.

?? ? ??? ???? e- ??? ????.

???? ??? ???? ?? ? ?? ??? ? ???? ???.

1. (PHP Trim() ??? ??) ??? ?? ????? ???? ??(?? ??)? ?????. , ?, ? ??)

2. (PHP ??????() ??? ??) ??? ?? ????? ???? ??()

???? ?? ??? ????(??? ???? ???? ?? ??). ?? ????? ????).

?? ??? test_input()?? ??????.

???? ??

??? ??

<!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title>菜鳥教程(runoob.com)</title> <style> .error {color: #FF0000;} </style> </head> <body> <?php // 定義變量并默認(rèn)設(shè)置為空值 $nameErr = $emailErr = $genderErr = $websiteErr = ""; $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { if (empty($_POST["name"])) { $nameErr = "名字是必需的"; } else { $name = test_input($_POST["name"]); // 檢測名字是否只包含字母跟空格 if (!preg_match("/^[a-zA-Z ]*$/",$name)) { $nameErr = "只允許字母和空格"; } } if (empty($_POST["email"])) { $emailErr = "郵箱是必需的"; } else { $email = test_input($_POST["email"]); // 檢測郵箱是否合法 if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) { $emailErr = "非法郵箱格式"; } } if (empty($_POST["website"])) { $website = ""; } else { $website = test_input($_POST["website"]); // 檢測 URL 地址是否合法 if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$website)) { $websiteErr = "非法的 URL 的地址"; } } if (empty($_POST["comment"])) { $comment = ""; } else { $comment = test_input($_POST["comment"]); } if (empty($_POST["gender"])) { $genderErr = "性別是必需的"; } else { $gender = test_input($_POST["gender"]); } } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?> <h2>PHP 表單驗(yàn)證實(shí)例</h2> <p><span class="error">* 必需字段。</span></p> <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> 名字: <input type="text" name="name" value="<?php echo $name;?>"> <span class="error">* <?php echo $nameErr;?></span> <br><br> E-mail: <input type="text" name="email" value="<?php echo $email;?>"> <span class="error">* <?php echo $emailErr;?></span> <br><br> 網(wǎng)址: <input type="text" name="website" value="<?php echo $website;?>"> <span class="error"><?php echo $websiteErr;?></span> <br><br> 備注: <textarea name="comment" rows="5" cols="40"><?php echo $comment;?></textarea> <br><br> 性別: <input type="radio" name="gender" <?php if (isset($gender) && $gender=="female") echo "checked";?> value="female">女 <input type="radio" name="gender" <?php if (isset($gender) && $gender=="male") echo "checked";?> value="male">男 <span class="error">* <?php echo $genderErr;?></span> <br><br> <input type="submit" name="submit" value="Submit"> </form> <?php echo "<h2>您輸入的內(nèi)容是:</h2>"; echo $name; echo "<br>"; echo $email; echo "<br>"; echo $website; echo "<br>"; echo $comment; echo "<br>"; echo $gender; ?> </body> </html>

?????? ???

????