我这里有这个文件:
<?php
include 'core/init.php';
include 'includes/overall/header.php';
if(empty($_POST) === false){
$required_fields = array('username','password','password_again','first_name','email');
foreach($_POST as $key=>$value){
if(empty($value) && in_array($key, $required_fields) === true){
$errors[] = 'Fields Marked with an asterisk are required';
break 1;
}
}
if(empty($errors) === true){
$args = $_POST;
if(user_exists($args['username'])){
$errors[] = 'Sorry, the username \''.$args['username'].'\' is already in use.';
}else if(preg_match("/\\s/",$args['username']) == true){
$errors[] = 'Your username can not contain any spaces.';
}
if(strlen($args['password']) < 6){
$errors[] = "Your Password is to short! It must be at least 6 characters. If you want to know why you need to use a better password visit this page, <a href=\"http://howsecureismypassword.net/\">password checker</a>.<br/>";
}else if($args['password'] !== $args['password_again']){
$errors[] = "Your passwords do not match!";
}
if(filter_var($args['email'], FILTER_VALIDATE_EMAIL) === false){
$errors[] = "A valid email address is required.";
} else if(email_exists($args['email']) === true){
$errors[] = 'Sorry, the email \''.$args['email'].'\' is already in use.';
}
}
}
?>
<h1>Register</h1>
<?php
if(empty($_POST) === true){
include 'includes/register.php';
}else if(empty($_POST) === false && empty($errors) === true){
//Register user
echo "Registered User";
}else{
echo output_errors($errors);
include 'includes/register.php';
}?>
<?php include 'includes/overall/footer.php';?>
继承人register.php:
<?php
$username = "";
$first_name = "";
$last_name = "";
$email = "";
if(empty($_POST) === false){
$username = $_POST['username'];
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email = $_POST['email'];
}
?>
<form action="" method="POST">
<ul>
<li>Username*: <br/><input type="text" name="username" value="<?php echo $username;?>"/></li>
<li>Password*: <br/><input type="text" name="password"/></li>
<li>Confirm Password*: <br/><input type="text" name="password_again"/></li>
<li>First name*: <br/><input type="text" name="first_name" value="<?php echo $first_name;?>"/></li>
<li>Last name: <br/><input type="text" name="last_name" value="<?php echo $last_name;?>"/></li>
<li>Email*: <br/><input type="text" name="email" value="<?php echo $email;?>"/></li>
<li><input type="submit" value="Register"/></li>
</ul>
</form>
这永远不会是一个真正的网站,只是我在玩 PHP,我意识到当用户提交他们的数据时,他们可以输入他们想要的任何内容,所以如果他们输入一些 HTML,会不会也渲染?喜欢...他们是否能够在输入字段中输入last_name
一个类似的值"<p>blah blah blah</p>"
,这实际上会呈现为
呜呜呜""/>
因为这对网站不是很不利吗?他们可以打破它还是什么?
那么有什么东西可以解决这个问题吗?Like 用<
and>
替换标签<
,>
并且使这些字符"
变成\"
或转义这些字符?
另外...我的代码有什么严重问题吗?