好的我有以下php:
<?php
//function to return nice url's for our pdf's
function seoUrl($string) {
//Lower case everything
$string = strtolower($string);
//Make alphanumeric (removes all other characters)
$string = preg_replace("/[^a-z0-9_\s-]/", "", $string);
//Clean up multiple dashes or whitespaces
$string = preg_replace("/[\s-]+/", " ", $string);
//Convert whitespaces and underscore to dash
$string = preg_replace("/[\s_]/", "-", $string);
return $string;
}
//Set up our POST variables
$name = $_POST['name'];
$address1 = $_POST['address1'];
$address2 = $_POST['address2'];
$zipcode = str_replace(' ', '',$_POST['zipcode']);
//Store your XML Request in a variable
$input_xml = urlencode('<ExternalReturnLabelRequest>
<CustomerName>'.$name .'</CustomerName>
<CustomerAddress1>'.$address1.'</CustomerAddress1>
<CustomerAddress2>'.$address2.'</CustomerAddress2>
<CustomerCity>Washington</CustomerCity>
<CustomerState>DC</CustomerState>
<CustomerZipCode>'.$zipcode.'</CustomerZipCode>
<LabelFormat>NOI</LabelFormat>
<LabelDefinition>Zebra-4X6</LabelDefinition>
<ServiceTypeCode>020</ServiceTypeCode>
<AddressOverrideNotification>false</AddressOverrideNotification>
<CallCenterOrSelfService>Customer</CallCenterOrSelfService>
<AddressValidation>false</AddressValidation>
</ExternalReturnLabelRequest>');
//start Curl tried file_get_contents but to no avail..
$curl_handle=curl_init();
curl_setopt($curl_handle, CURLOPT_URL,"https://returns.usps.com/Services/ExternalCreateReturnLabel.svc/ExternalCreateReturnLabel?externalReturnLabelRequest=".$input_xml);
curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT, 2);
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, 1);
$query = curl_exec($curl_handle);
curl_close($curl_handle);
//decode the response this will fail if nothing returned
$pdfdecode = base64_decode($query);
if($pdfdecode != false){
$urlfriendlyname = seoUrl($name);
$myFile = "labels/labelfor".$urlfriendlyname.$zipcode.".pdf";
$fh = fopen($myFile, 'w') or die("can't open file");
fwrite($fh, $pdfdecode);
fclose($fh);
header("Location: http://thedarkroom.com/wp-content/themes/thedarkroom2012/".$myFile);
exit();
/*
MID 201198
*/
}else{
header("Location: http://thedarkroom.com/label/?labelerror=".$query);
exit();
}
echo "<pre>";
var_dump($pdfdecode);
var_dump($query);
echo "</pre>";
和这个html:
<form method="POST" action="<?php echo get_template_directory_uri(); ?>/get_labels.php" >
<fieldset id="labelfields">
<label for="name">Name</label><br>
<input name="name" type="text" placeholder="Name"/> <br>
<label for="address1">Address Line one</label>
<input name="address1" type="text" placeholder="Address line one"/><br>
<label for="address2">Address Line two</label>
<input name="address2" type="text" placeholder="Address line two"/><br>
<label for="zipcode">Zip code</label>
<input name="zipcode" type="text" placeholder="Zip Code"/><br>
<label for="CustomerState">State</label>
<input name="CustomerState" type="text" placeholder="State"/><br>
<label for="CustomerCity">City</label>
<input name="CustomerCity" type="text" placeholder="City"/><br>
<input type="submit" value="Create Label" />
</fieldset>
</form>
获得此保护的最佳做法是什么? 我去了脱衣舞标签......
答案 0 :(得分:0)
必须检查并清理所有到您服务器的数据。总是。没有例外。
逃避潜在危险的角色。您应该谨慎使用的特定字符取决于使用数据的上下文和您使用的服务器平台,但所有服务器端语言都具有此功能。
限制传入的数据量以仅允许必要的内容。
Sandbox上传的文件(将它们存储在不同的服务器上,只允许通过不同的子域访问该文件,甚至更好地通过完全不同的域名访问该文件)。
为防止跨站点伪造,请参阅此文章 http://shiflett.org/articles/cross-site-request-forgeries