-2

我正在尝试将$_POST表单中的输入插入到 php 页面中。有什么理由不应该这样做吗?我没有收到任何错误,但我也没有得到预期的结果

HTML

<form action="cross-domain-page.php" method="post">
<input type="text" name="phone" value="555555555">
<input type="text" name="fname" value="john">
<input type="text" name="lname" value="doe">
<input type="text" name="email" value="example@address.com">
<input type="text" name="attr" value="<xml>xml-value</xml>">
<input type="submit" name="submit" value="submit">
</form>

PHP

<?php
/*
$phone = $_POST['phone'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$attr = $_POST['attr'];
*/
/**
 * Define POST URL and also payload
 */
define('XML_PAYLOAD', '<subscriptions><opt_in>invite</opt_in><user><mobile-phone>' . $_POST['phone'] . '</mobile-phone><first-name>' . $_POST['fname'] . '</first-name><last-name>' . $_POST['lname'] . '</last-name><email>' . $_POST['email'] . '</email>' . $_POST['attr'] . '</user></subscriptions>');
define('XML_POST_URL', $_POST['URL']);

/**
 * Initialize handle and set options
 */
$username = 'username';
$password = 'password';
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/xml'));
curl_setopt($ch, CURLOPT_URL, XML_POST_URL);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC ) ; 
curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 4);
curl_setopt($ch, CURLOPT_POSTFIELDS, XML_PAYLOAD);
curl_setopt($ch, CURLOPT_VERBOSE, true);


/**
 * Execute the request and also time the transaction
 */
$start = array_sum(explode(' ', microtime()));
$result = curl_exec($ch);
$stop = array_sum(explode(' ', microtime()));
$totalTime = $stop - $start;

/**
 * Check for errors
 */
if ( curl_errno($ch) ) {
    $result = 'cURL ERROR -> ' . curl_errno($ch) . ': ' . curl_error($ch);
} else {
    $returnCode = (int)curl_getinfo($ch, CURLINFO_HTTP_CODE);
    switch($returnCode){
        case 200:
            break;
        default:
            $result = 'HTTP ERROR -> ' . $returnCode;
            break;
    }
}

/**
 * Close the handle
 */
curl_close($ch);

/**
 * Output the results and time
 */
echo 'Total time for request: ' . $totalTime . "\n";
echo $result;  

/**
 * Exit the script
 */
exit(0);
?>
4

2 回答 2

1
  1. 预期的结果是什么?假设常量 XML_PAYLOAD 应该包含带有插入值的 XML...
  2. 症状是什么?
  3. 发布您用于发送发布数据的表单的 html 代码也可能会有所帮助。
  4. 此外:所有输入在嵌入到 XML 文档中时都应该是 XML 编码的。想想利用读取 XML 文档的组件的潜在漏洞的 XSS 攻击 - 或发送的输入根本不是有效的 XML。
于 2014-06-12T22:26:44.440 回答
0

改用这个

 define('XML_POST_URL', $_POST['URL']);

旁注:将用户输入定义为常量是非常糟糕的做法。

于 2014-06-12T22:14:42.457 回答