Question

我这里有这个文件：

<?php 
    include 'core/init.php';
    include 'includes/overall/header.php';

    if(empty($_POST) === false){
        $required_fields = array('username','password','password_again','first_name','email');
        foreach($_POST as $key=>$value){
            if(empty($value) && in_array($key, $required_fields) === true){
                $errors[] = 'Fields Marked with an asterisk are required';
                break 1;
            }
        }   

        if(empty($errors) === true){
            $args = $_POST;
            if(user_exists($args['username'])){
                $errors[] = 'Sorry, the username \''.$args['username'].'\' is already in use.';
            }else if(preg_match("/\\s/",$args['username']) == true){
                $errors[] = 'Your username can not contain any spaces.';
            }
            if(strlen($args['password']) < 6){
                $errors[] = "Your Password is to short! It must be at least 6 characters. If you want to know why you need to use a better password visit this page, <a href=\"http://howsecureismypassword.net/\">password checker</a>.<br/>";
            }else if($args['password'] !== $args['password_again']){
                $errors[] = "Your passwords do not match!";
            }
            if(filter_var($args['email'], FILTER_VALIDATE_EMAIL) === false){
                $errors[] = "A valid email address is required.";
            } else if(email_exists($args['email']) === true){
                $errors[] = 'Sorry, the email \''.$args['email'].'\' is already in use.';
            }
        }

    }


?>
<h1>Register</h1>
<?php 
    if(empty($_POST) === true){
        include 'includes/register.php'; 
    }else if(empty($_POST) === false && empty($errors) === true){
        //Register user
        echo "Registered User";
    }else{
        echo output_errors($errors);
        include 'includes/register.php'; 
    }?>
<?php include 'includes/overall/footer.php';?>

Heres register.php：

<?php
    $username = "";
    $first_name = "";
    $last_name = "";
    $email = "";
    if(empty($_POST) === false){
        $username = $_POST['username'];
        $first_name = $_POST['first_name'];
        $last_name = $_POST['last_name'];
        $email = $_POST['email'];
    }
?>
<form action="" method="POST">
    <ul>
        <li>Username*: <br/><input type="text" name="username" value="<?php echo $username;?>"/></li>
        <li>Password*: <br/><input type="text" name="password"/></li>
        <li>Confirm Password*: <br/><input type="text" name="password_again"/></li>
        <li>First name*: <br/><input type="text" name="first_name" value="<?php echo $first_name;?>"/></li>
        <li>Last name: <br/><input type="text" name="last_name" value="<?php echo $last_name;?>"/></li>
        <li>Email*: <br/><input type="text" name="email" value="<?php echo $email;?>"/></li>
        <li><input type="submit" value="Register"/></li>
    </ul>
</form>

这不是一个真正的网站，它只是我玩PHP，我意识到当用户提交他们的数据时，他们可以放入他们想要的东西，所以如果他们放入一些HTML它会呈现吗？喜欢......他们是否能够在输入字段last_name中加入"<p>blah blah blah</p>"这样的值，这实际上会呈现为

姓氏：
blah blah blah

“”/＆gt;

因为对网站来说不是那么糟糕吗？他们可以打破它或什么？

那么有什么能解决这个问题吗？就像用<和>替换<和>之类的标签，并将"变为\"或者转义这些字符？

另外......我的代码有什么特别的错误吗？

Answer 1

您需要的是：http://php.net/manual/en/function.htmlentities.php

<强>ヶ辆

此功能在各方面与htmlspecialchars（）相同，除外使用htmlentities（），所有具有HTML字符实体的字符等价物被翻译成这些实体。

Answer 2

您可以使用htmlspecialchars或htmlentities。

用PHP，HTML输入注册用户？

2 个答案: