PHP将PHP回显到浏览器，没有显示出来，安全问题？

Question

What happen if i use the following?

<?php echo "<?php echo date('Y'); ?>"; ?>

i could not find an answer anywhere, and when i try it myself, i get:

<?php echo date('Y'); ?></td></tr></table>

However, it does not show up on front browser, only source.

So my question is, does this affect the html/browser/server in any way? as i do not want to end up creating a security issue should user post their own php code in a html only format, like a bio page etc.

Answer 1

It's because of the chevrons ('<' and '>'), because the browser interprets them as tags.

There are 2 ways you could get round this.

Either use the codes for special characters, so you would do:

<?php echo "&#60;?php echo date('Y'); ?&#62;"; ?>

Or, an easier way, use the htmlspecialchars() function:

<?php echo htmlspecialchars("<?php echo 'hi'; ?>"); ?>

More info on the htmlspecialchars() function can be found at http://www.php.net//manual/en/function.htmlspecialchars.php

Answer 2

It is not a security problem and will not have any effects on browser or server, at least not because of PHP code. Even if the string contains PHP code it will just be sent to the client which will not attempt to execute it.

The real problem when echo ing user-defined HTML is the risk of attacks such as XSS. Users could include arbitrary scripts or images or scramble the rest of the page by inserting arbitrary tags. In other words: Users could modify the whole page with a single line of HTML.

In general, it's a bad practice to allow such arbitrary input. Have a look at strip_tags which provides a very basic level of protection.