[英]prevent xss on input fields?
1-i have a form which has name family email birthday(which is a select) and gender which is two diffrent radio buttons one for male and another one obviously is for female. 1-i具有一种形式,名称为家庭电子邮件生日(可以选择)和性别,这是两个不同的单选按钮,一个是男性,另一个显然是女性。 now please can someone explain me how to prevent xss attacks on this fields in php? 现在请有人可以向我解释一下如何防止在php中对该字段进行xss攻击吗? my form data is like this 我的表格数据是这样的
<form action="register.php" method="post">
<div>
<table>
<tr><td><?php echo $lang['5']; ?> :</td><td> <input type="text" name="name" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['6']; ?> :</td><td> <input type="text" name="family" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['59']; ?> :</td><td> <input type="text" name="email" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['74']; ?> :</td><td> <input type="text" name="repeat" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['60']; ?> :</td><td><input type="password" name="password"/></td></tr>
<tr>
<td><?php echo $lang['8'] ?> :</td>
<td>
<select name="day">
<option><?php echo $lang['9'] ?></option>
<?php
for($i=1;$i<=31;$i++){
echo "<option value=\"{$i}\">{$i}</option>\n";
}
?>
</select>
<select name="month">
<?php
for($i=0;$i<=12;$i++){
$i = str_pad($i,2,"0",STR_PAD_LEFT);
echo "<option value=\"{$i}\">";T(1,$i);echo "</option>\n";
}
?>
</select>
<select name="year">
<option><?php echo $lang['11'] ?></option>
<?php
for($i=1300;$i<=1373;$i++){
if($i == $birthdate['0']){
echo "<option value=\"{$i}\" selected=\"selected\">{$i}</option>\n";
}else{
echo "<option value=\"{$i}\">{$i}</option>\n";
}
}
?>
</select>
</td>
</tr>
</table>
male : <input type="radio" name="gender[]" />female : <input type="radio" name="gender[]" /><br />
<input type="submit" name="submit" value="<?php echo $lang['63']; ?>" onclick="formhash(this.form, this.form.password);"/>
</div>
</form>
for name and family i did somthing like this for get just html entity with this pattern 为了名字和家人,我做了这样的事情,只是得到这种模式的HTML实体
$name = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $name);
$family = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $family);
and for email i did like this: 对于电子邮件,我确实是这样的:
$email = preg_replace("^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*(\.[a-zA-Z]{2,3})$^", "", $email);
is this preg_replace secure enough or maybe i need using htmlentity or htmlspecailchars? 这个preg_replace是否足够安全,或者我需要使用htmlentity或htmlspecailchars?
2-and for second question is it necessary to escape posted data which is from radio buttons or sellect options and if its necessary how should i escape them? 2-第二个问题是有必要转义来自单选按钮或Sellect选项的已发布数据,如果有必要,我应如何转义它们?
3-i just read about htmlpurifier..now if i have status field which user can i update it should i use html purifier for people statuses and this register form maybe? 3-i刚刚阅读了有关htmlpurifier..now的信息,如果我有status字段,我可以更新该用户,是否应该使用html purifier来显示人员状态,并且此注册表格可能是?
thanks in advance. 提前致谢。
HTMLPurifier is a very good and enough to prevent XSS attacks, and here is how you can use it. HTMLPurifier非常好,足以阻止XSS攻击,这是使用它的方法。
# In register.php page: require_once 'path/to/HTMLPurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('HTML.Doctype', 'HTML 4.01 Transitional'); $config->set("HTML.Allowed", ""); // this will NOT allow any html tags $purifier = new HTMLPurifier($config); # hash the provided password (don't apply HTMLPurifier on the password) $hash_password = sha1($_POST["password"]); $data = array(); # apply HTMLPurify on all submitted data foreach ($_POST as $key => $value) { $data["$key"] = mysql_real_escape_string($purifier->purify($value)); } # get birthday $data["birthday"] = $data["year"] . "-" . $data["month"] . "-" . $data["day"]; # insert submitted data into your database $result = mysql_query(" INSERT INTO table_name (name, family, email, password, birthday, gender) VALUES ('{$data["name"]}', '{$data["family"]}', '{$data["email"]}', '$hash_password', '{$data["birthday"]}', '{$data["gender"]}') "); ?>
NOTE: use male
and female
as values of the name
attributes of the 2 radio input tags instead of the gender[]
array 注意:使用male
和female
作为2个无线电输入标签的name
属性的值,而不要使用gender[]
数组
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.