0

我这里有这个文件:

<?php 
    include 'core/init.php';
    include 'includes/overall/header.php';

    if(empty($_POST) === false){
        $required_fields = array('username','password','password_again','first_name','email');
        foreach($_POST as $key=>$value){
            if(empty($value) && in_array($key, $required_fields) === true){
                $errors[] = 'Fields Marked with an asterisk are required';
                break 1;
            }
        }   

        if(empty($errors) === true){
            $args = $_POST;
            if(user_exists($args['username'])){
                $errors[] = 'Sorry, the username \''.$args['username'].'\' is already in use.';
            }else if(preg_match("/\\s/",$args['username']) == true){
                $errors[] = 'Your username can not contain any spaces.';
            }
            if(strlen($args['password']) < 6){
                $errors[] = "Your Password is to short! It must be at least 6 characters. If you want to know why you need to use a better password visit this page, <a href=\"http://howsecureismypassword.net/\">password checker</a>.<br/>";
            }else if($args['password'] !== $args['password_again']){
                $errors[] = "Your passwords do not match!";
            }
            if(filter_var($args['email'], FILTER_VALIDATE_EMAIL) === false){
                $errors[] = "A valid email address is required.";
            } else if(email_exists($args['email']) === true){
                $errors[] = 'Sorry, the email \''.$args['email'].'\' is already in use.';
            }
        }

    }


?>
<h1>Register</h1>
<?php 
    if(empty($_POST) === true){
        include 'includes/register.php'; 
    }else if(empty($_POST) === false && empty($errors) === true){
        //Register user
        echo "Registered User";
    }else{
        echo output_errors($errors);
        include 'includes/register.php'; 
    }?>
<?php include 'includes/overall/footer.php';?>

继承人register.php:

<?php
    $username = "";
    $first_name = "";
    $last_name = "";
    $email = "";
    if(empty($_POST) === false){
        $username = $_POST['username'];
        $first_name = $_POST['first_name'];
        $last_name = $_POST['last_name'];
        $email = $_POST['email'];
    }
?>
<form action="" method="POST">
    <ul>
        <li>Username*: <br/><input type="text" name="username" value="<?php echo $username;?>"/></li>
        <li>Password*: <br/><input type="text" name="password"/></li>
        <li>Confirm Password*: <br/><input type="text" name="password_again"/></li>
        <li>First name*: <br/><input type="text" name="first_name" value="<?php echo $first_name;?>"/></li>
        <li>Last name: <br/><input type="text" name="last_name" value="<?php echo $last_name;?>"/></li>
        <li>Email*: <br/><input type="text" name="email" value="<?php echo $email;?>"/></li>
        <li><input type="submit" value="Register"/></li>
    </ul>
</form>

这永远不会是一个真正的网站,只是我在玩 PHP,我意识到当用户提交他们的数据时,他们可以输入他们想要的任何内容,所以如果他们输入一些 HTML,会不会也渲染?喜欢...他们是否能够在输入字段中输入last_name一个类似的值"<p>blah blah blah</p>",这实际上会呈现为

  • 姓名:
    呜呜呜

    ""/>
  • 因为这对网站不是很不利吗?他们可以打破它还是什么?

    那么有什么东西可以解决这个问题吗?Like 用<and>替换标签&lt;&gt;并且使这些字符"变成\"或转义这些字符?

    另外...我的代码有什么严重问题吗?

    4

    2 回答 2

    3

    你需要的是: http: //php.net/manual/en/function.htmlentities.php

    实体

    此函数在所有方面都与 htmlspecialchars() 相同,除了 htmlentities() 之外,所有具有 HTML 字符实体等效项的字符都将转换为这些实体。

    于 2012-10-04T14:31:41.267 回答
    1

    您可以使用htmlspecialcharshtmlentities

    于 2012-10-04T14:32:16.103 回答