0

我正在制作一个内容管理系统。我允许用户通过表单发布一些信息,然后在新页面上使用这些信息(例如“页面标题”和“轮播速度”),但我正在努力将这些信息放入生成的页面。

要添加我正在使用的站点的内容$page .= <<<'EOT'并将 html 放置在其中,但尝试在其中回$_POST显变量意味着 PHP 代码将在我将其写入 EOT 时出现,而不是结果。

有没有办法告诉 EOT 将其<?php echo $_POST['speed'] ?>视为例外?

<?php

    $addTo = $_POST['addTo'];
    //$visit = $_POST['visit'];
    $dir = $_POST['name'];
    $desc = $_POST['desc'];

    $dir = preg_replace('/\s+/', '_', $dir);

    mkdir($addTo.'/'.$dir, 0777);
    mkdir($addTo.'/'.$dir.'/photos', 0777);

    //Make page
    $content = "he";
    $myfile = fopen ($addTo.'/'.$dir.'/index.php', "w") or die ("Unable to open file!");
    $page = "";
    $speed = $_POST['speed'];



$page .= <<<'EOT'

<head>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
    <script src="https://code.jquery.com/jquery-3.1.0.min.js" integrity="sha256-cCueBR6CsyA4/9szpPfrX3s49M9vUU5BgtiJj06wt/s=" crossorigin="anonymous"></script>
    <script src="https://use.fontawesome.com/2c6a42bed3.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>

<body>

    <div id="myCarousel" class="carousel slide" data-ride="carousel">
      <!-- Indicators -->
      <ol class="carousel-indicators" style="display:none">
        <li data-target="#myCarousel" data-slide-to="0" class="active"></li>
        <li data-target="#myCarousel" data-slide-to="1"></li>
        <li data-target="#myCarousel" data-slide-to="2"></li>
        <li data-target="#myCarousel" data-slide-to="3"></li>
      </ol>

      <!-- Wrapper for slides -->
      <div class="carousel-inner" role="listbox">

        <?php

            $active = "active";
            $url = $_SERVER['REQUEST_URI'].'photos/';
            //echo $url." - url<br/>";

            $conn = mysqli_connect("localhost","root","","test");

            $sql = "SELECT speed FROM pages WHERE title = ''";

            if (mysqli_connect_errno()) {echo "Failed to connect to MySQL: " . mysqli_connect_error();}
            $sql = "SELECT * FROM photos WHERE url = '$url'"; 

            $result = mysqli_query($conn, $sql);

            while($row = mysqli_fetch_array($result)) {
                ?> 
                    <div class="item <?=$active?>">
                        <img src="<?php echo $row['url'].$row['caption']; ?>">
                    </div> 
                <?php

                $active="";

            }

            $conn->close();

        ?>

      </div>

      <!-- Left and right controls -->
      <a class="left carousel-control" href="#myCarousel" role="button" data-slide="prev">
        <span class="glyphicon glyphicon-chevron-left" aria-hidden="true"></span>
        <span class="sr-only">Previous</span>
      </a>
      <a class="right carousel-control" href="#myCarousel" role="button" data-slide="next">
        <span class="glyphicon glyphicon-chevron-right" aria-hidden="true"></span>
        <span class="sr-only">Next</span>
      </a>
    </div>




</body>
<script type="text/javascript">
    $(document).ready(function(){
         $("#myCarousel").carousel({
             interval : 420,
             pause: false
         });
    });
</script>

%s

EOT;


?> 
<?php

    $output = sprintf($page, $speed);
    echo $output;

    fwrite($myfile, $page);
    fclose($myfile);

    $conn = mysqli_connect("localhost","root","","test");

    if (mysqli_connect_errno()) {echo "Failed to connect to MySQL: " . mysqli_connect_error();}

    $sql = "INSERT INTO pages (title, type, description, active, speed) VALUES ('$dir', '$addTo','$desc' , '1', '$speed')";

    if ($conn->query($sql) === TRUE) {
        echo "New record created successfully";
    } else {
        echo "Error: " . $sql . "<br>" . $conn->error;
    }

    $conn->close();

    //Redirect
    if (isset($visit)){
        //header('Location:index.php?newPage='.$addTo.'/'.$dir.'/'.$filename);
    }

    else {
        //header('Location:index.php?newPage='.$addTo.'/'.$dir.'/'.$filename);
    }

?>
4

1 回答 1

1

有没有办法告诉 EOT 将其<?php echo视为例外?

不,没有,除非你'EOT'"EOT". 第一个(您当前正在使用的)将所有内容都视为原始字符串。第二个在 PHP 中就像双引号一样工作,因此将解析字符串并识别变量。

我会继续使用,并在字符串中'EOT'插入占位符。%s然后我会用sprintf值替换占位符(请参阅文档

// the %s will be replaced later with your values
$template = <<< 'EOT'
The car has speed %s and a mileage of %s ...
EOT;

//build the args. Use htmlspecialchars to protect your users from
// Cross-Site Scripting attacks
$args = [
    htmlspecialchars($_POST['speed']),
    htmlspecialchars($_POST['mileage']),
    ...
];

//insert the args into the template
$output = sprintf($template, ...$args);

echo $output;

安全注意事项:由于您将用户发送回浏览器的字符串输出,因此您很容易受到跨站脚本 (XSS) 攻击:用户可以让您的网站执行她想要的任何代码,因为您正在使用她的输入来构建这页纸。我清理了输入htmlspecialchars()以保护您。

于 2016-08-02T14:42:47.663 回答