PHP中的GET表单出现问题
[英]Problems with my GET form in PHP
问题描述
I made a GET form recently.But the problem is that it is highly vulnerable.You can inject your an script as below. 
我最近做了一个GET表单,但是问题是它很容易受到攻击,您可以按如下所示插入脚本。
http://mysite.com/processget.phtml?search=<a href="http://google.com">Hacked</a>
I'm able to inject any kind of script into my above URL.I'm actually echoing my GET data using an echo in my BODY,so whenever i enter a malicious script it is being executed in my BODY tag.So now how do i limit this http://mysite.com/processget.phtml?search= to just Number,letters and a few symbols which i want. 我可以在上面的URL中注入任何类型的脚本。实际上我是在BODY中使用回显来回显GET数据,因此每当我输入恶意脚本时,BODY标签中就会执行该脚本。我将这个http://mysite.com/processget.phtml?search=限制为我想要的数字,字母和一些符号。
For ex.The user should only be able to enter 例如,用户只能输入
http://mysite.com/processget.phtml?search=A123123+*$
So can anyof you help me fix this bug.I'm kind of new to PHP,so please explain. 因此,您有谁可以帮助我修复此错误。我是PHP的新手,请解释一下。
3 个解决方案
解决方案1
2 2010-09-21 11:52:23
if (!empty($_GET['search'])) {
$search = htmlentities($_GET['search'],ENT_QUOTES,'UTF-8');
echo $search;
}
Now it's safe. 现在很安全。
But if you want to limit to specific symbols, then you need to use regular expressions. 但是,如果要限制为特定的符号,则需要使用正则表达式。
解决方案2
1 2010-09-21 11:51:45
You can let a user enter whatever you like; 您可以让用户输入您喜欢的任何内容; the key is to escape the output. 关键是转义输出。 Then the string is displayed as desired, rather than included as HTML. 然后,根据需要显示该字符串,而不是将其包含为HTML。
Use a php function like htmlentities 使用类似htmlentities的php函数
解决方案3
0 已采纳 2010-09-21 11:51:00
Strip the tags: 去除标签:
echo strip_tags($_GET['search']);
Actually, you may want htmlspecialchars instead, which escapes the tags instead of removing them so they display as intended: 实际上,您可能需要htmlspecialchars ,它转义了标签而不是将其删除,因此它们按预期显示:
echo htmlspecialchars($_GET['search']);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.