开发者

Problems with my GET form in PHP

I made a GET form recently.But the problem is that it is highly vulnerable.You can inject your an script as below.

http://mysite.com/processget.phtml?search=<a href="http://google.com">Hacked</a>

I'm able to inject any kind of script into my above开发者_高级运维 URL.I'm actually echoing my GET data using an echo in my BODY,so whenever i enter a malicious script it is being executed in my BODY tag.So now how do i limit this http://mysite.com/processget.phtml?search= to just Number,letters and a few symbols which i want.

For ex.The user should only be able to enter

http://mysite.com/processget.phtml?search=A123123+*$

So can anyof you help me fix this bug.I'm kind of new to PHP,so please explain.


if (!empty($_GET['search'])) {
    $search = htmlentities($_GET['search'],ENT_QUOTES,'UTF-8');
    echo $search;
}

Now it's safe.

But if you want to limit to specific symbols, then you need to use regular expressions.


You can let a user enter whatever you like; the key is to escape the output. Then the string is displayed as desired, rather than included as HTML.

Use a php function like htmlentities


Strip the tags:

echo strip_tags($_GET['search']);

Actually, you may want htmlspecialchars instead, which escapes the tags instead of removing them so they display as intended:

echo htmlspecialchars($_GET['search']);
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜