$ _POST [＆＃39;输入＆＃39;]到PHP定义字符串

Question

我正在尝试将表单中的$_POST输入插入到php页面中。有什么理由说这不行吗？我没有收到任何错误，但我也没有得到预期的结果

HTML 的

<form action="cross-domain-page.php" method="post">
<input type="text" name="phone" value="555555555">
<input type="text" name="fname" value="john">
<input type="text" name="lname" value="doe">
<input type="text" name="email" value="example@address.com">
<input type="text" name="attr" value="<xml>xml-value</xml>">
<input type="submit" name="submit" value="submit">
</form>

---

PHP

<?php
/*
$phone = $_POST['phone'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$attr = $_POST['attr'];
*/
/**
 * Define POST URL and also payload
 */
define('XML_PAYLOAD', '<subscriptions><opt_in>invite</opt_in><user><mobile-phone>' . $_POST['phone'] . '</mobile-phone><first-name>' . $_POST['fname'] . '</first-name><last-name>' . $_POST['lname'] . '</last-name><email>' . $_POST['email'] . '</email>' . $_POST['attr'] . '</user></subscriptions>');
define('XML_POST_URL', $_POST['URL']);

/**
 * Initialize handle and set options
 */
$username = 'username';
$password = 'password';
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/xml'));
curl_setopt($ch, CURLOPT_URL, XML_POST_URL);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC ) ; 
curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 4);
curl_setopt($ch, CURLOPT_POSTFIELDS, XML_PAYLOAD);
curl_setopt($ch, CURLOPT_VERBOSE, true);


/**
 * Execute the request and also time the transaction
 */
$start = array_sum(explode(' ', microtime()));
$result = curl_exec($ch);
$stop = array_sum(explode(' ', microtime()));
$totalTime = $stop - $start;

/**
 * Check for errors
 */
if ( curl_errno($ch) ) {
    $result = 'cURL ERROR -> ' . curl_errno($ch) . ': ' . curl_error($ch);
} else {
    $returnCode = (int)curl_getinfo($ch, CURLINFO_HTTP_CODE);
    switch($returnCode){
        case 200:
            break;
        default:
            $result = 'HTTP ERROR -> ' . $returnCode;
            break;
    }
}

/**
 * Close the handle
 */
curl_close($ch);

/**
 * Output the results and time
 */
echo 'Total time for request: ' . $totalTime . "\n";
echo $result;  

/**
 * Exit the script
 */
exit(0);
?>

Answer 1

1. 预期结果是什么？假设常量XML_PAYLOAD应该包含带有插入值的XML ...
2. 症状是什么？
3. 发布用于发送帖子数据的表单的html代码也可能有帮助。
4. 此外：嵌入到XML文档中时，所有输入都应该是XML编码的。想想利用读取XML文档的组件的潜在漏洞的XSS攻击 - 或者发送的输入只是无效的XML。

Answer 2

改为使用

 define('XML_POST_URL', $_POST['URL']);

旁注：将用户输入定义为常量是非常糟糕的做法..