如何在表单输入中阻止 HTML?
因此,我有一个基本的小脚本,它从 HTML 表单获取输入,由 PHP 进行处理,然后以 CSS 的形式将其写入文本文件。我已经遇到了一些混蛋试图删除服务器上的表(没有 SQL,但我还是想阻止人们尝试)这是我迄今为止拥有的代码,有人可以帮助我阻止潜在的不良行为吗?通过 htmlentities 或其他方式输入?
HTML 表单
<html><body>
<h4>Codes Form</h4>
<form action="codes.php" method="post">
Username: <input name="Username" type="text" />
Usercode: <input name="Usercode" type="text" />
<input type="submit" value="Post It!" />
</form>
</body></html>
PHP
<html><body>
<?php
$Friendcode = $_POST['Usercode'];
$Username = $_POST['Username'];
echo "You have recorded the following information on the server ". $Username . " " . $Usercode . ".<br />"; echo "Thanks for contributing!";
$output = ".author[href\$=\"$Username\"]:after { \n"
."content: \" ($Usercode)\" !important\n"
."}";
}
$fp = fopen('file.txt', 'a');
fwrite($fp, $output);
fwrite($fp, "\n");
fclose($fp);
?>
</body></html>
So, I have a basic little script that takes input from an HTML form, is processes by PHP and then writes it to a text file in the form of CSS. I've already got some jerkwad trying to drop tables on the server (There is no SQL but I'd like to keep people from trying none the less) Here is the code that I have thus far, can someone help me block potentially bad input via htmlentities or something else?
The HTML Form
<html><body>
<h4>Codes Form</h4>
<form action="codes.php" method="post">
Username: <input name="Username" type="text" />
Usercode: <input name="Usercode" type="text" />
<input type="submit" value="Post It!" />
</form>
</body></html>
The PHP
<html><body>
<?php
$Friendcode = $_POST['Usercode'];
$Username = $_POST['Username'];
echo "You have recorded the following information on the server ". $Username . " " . $Usercode . ".<br />"; echo "Thanks for contributing!";
$output = ".author[href\$=\"$Username\"]:after { \n"
."content: \" ($Usercode)\" !important\n"
."}";
}
$fp = fopen('file.txt', 'a');
fwrite($fp, $output);
fwrite($fp, "\n");
fclose($fp);
?>
</body></html>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
您可以使用 htmlentities 将 html 标签转换为其 html 等效项。 <或者你可以使用 strp_tags 删除所有 html标签。如果您使用 sql,请使用 mysql_real_escape_string 来制作sql查询更安全
You can use htmlentities to convert html tags to their html equiv. < etc. Or you can use strp_tags to get rid of all html tags. If you are using sql use mysql_real_escape_string to make sql queries safer
每当您在 HTML 代码 中包含用户输入的数据时,最好先对数据进行编码,将其传递到
htmlspecialchars()中。将其视为净化室。这将确保任何 HTML 特殊字符,例如“<”和“>” (致命病毒)会被正确地转义(杀死),并且不会以“真实”HTML 标签的形式出现在您的页面中(不会使您的网页出现问题)。
同样,当将用户输入包含在 SQL 查询中时,您也必须对其进行编码。您用于此目的的函数根据您使用的数据库而有所不同。由于 PHP 的动态特性,如果您要在 SQL 查询中包含数值,则必须首先使用
is_numeric()和等函数进行检查以确保变量包含数字。 >ctype_digit()。Whenever you include data entered by the user in HTML code, it is always a good idea to first encode the data, by passing it into
htmlspecialchars().Think of it as a decontamination chamber. This will ensure that any of the HTML special chacters, such as "<" and ">" (deadly viruses) are properly escaped (killed) and won't show up in your page as "real" HTML tags (won't make your webpage sick).
Similarly, you must also encode user input when including it in SQL queries. The function that you use for this purpose varies depending on the database that you are using. Because of the dynamic nature of PHP, if you are a including numeric value in a SQL query, you must first check to make sure the variable contains a number by using functions such as
is_numeric()andctype_digit().我认为阻止 HTML 的最佳方法是仅允许您认为用户名或用户代码可能具有的字符。
例如,将输入限制为字母、数字和下划线,并修剪字符串开头和结尾的空格。只要 HTML 代码作为输入提供,此验证就会失败。
I think the best way to block HTML is to allow only the characters you think a username or a user code may have.
For example, limit the input to letters, numbers and underscores and trim the whitespaces in the beginning and the end of the string. This validation will fail whenever HTML code is provided as input.
我建议使用正则表达式在客户端和服务器端执行此操作。可以在此处找到客户端示例: jQuery 删除除锚点之外的所有 HTML 标签< /a>
I would suggest doing this on both client and server side, with a regex. A client-side example can be found here: jQuery remove all HTML tags EXCEPT Anchors
如果有人直接在浏览器中输入
code.php的 url 会发生什么?他们将收到未定义偏移量的通知。您至少应该检查
$_POST是否不为空。验证用户名和用户代码中的特殊字符以及您允许他们在 PHP 服务器端输入的内容
What happen if someone directly type the url of
code.phpin browser. They will get the Notice of undefined offset.You should make at least a check if
$_POSTis not empty.Validate the user name and user code for special characters and what you allow them to enter with PHP sever side
@Zer0mod:我会使用 strip_tags 来摆脱 HTML 和 < a href="http://www.php.net/manual/en/function.mysql-real-escape-string.php" rel="nofollow">mysql_real_escape_string 来处理任何潜在的 SQL 注入。
@Zer0mod: I'd use strip_tags to get rid of HTML and mysql_real_escape_string to take care of any potential SQL injections.
使用 PHP 将每个符号转换为 HTML 数字!请前往 htmlentities() 了解有关执行此操作的详细信息。
Use PHP to convert every symbol to HTML numbers! Head on over to htmlentities() for details about doing so.