Question

我已经转义了我的字段，但是当我创建像<script>alert(one frame);</script>这样的xss代码时，那个专门用于显示日期的表格将xss代码发送到我的数据库。我想在制作自己的xss代码时不要将JS脚本发送到我的数据库。

$code    = trim(stripslashes(htmlspecialchars($_POST['code'])));
            $product = trim(stripslashes(htmlspecialchars($_POST['product'])));
            $result = new sale();
            $sale_type = $result->getTypeSaleById($_POST['sale_type']);
            $purchase_price   = trim(stripslashes(htmlspecialchars($_POST['purchase_price'])));
            $sale_price   = trim(stripslashes(htmlspecialchars($_POST['sale_price'])));
            $min_stock   = trim(stripslashes(htmlspecialchars($_POST['min_stock'])));
            $stock   = trim(stripslashes(htmlspecialchars($_POST['max_stock'])));

我的控制器

case 'add_product':
            if(isset($_POST['code']) && $_POST['code']!= '' && isset($_POST['product']) && $_POST['product']!= '' && isset($_POST['sale_type']) && $_POST['sale_type']!= '' && isset($_POST['purchase_price']) && $_POST['purchase_price']!= 0 && isset($_POST['sale_price']) && $_POST['sale_price']!= 0 && isset($_POST['min_stock']) && $_POST['min_stock']!= '' && isset($_POST['max_stock']) && $_POST['max_stock']!= '' ){
                $code    = trim(stripslashes(htmlspecialchars($_POST['code'])));
                $product = trim(stripslashes(htmlspecialchars($_POST['product'])));
                $result = new sale();
                $sale_type = $result->getTypeSaleById($_POST['sale_type']);
                $purchase_price   = trim(stripslashes(htmlspecialchars($_POST['purchase_price'])));
                $sale_price   = trim(stripslashes(htmlspecialchars($_POST['sale_price'])));
                $min_stock   = trim(stripslashes(htmlspecialchars($_POST['min_stock'])));
                $stock   = trim(stripslashes(htmlspecialchars($_POST['max_stock'])));
                $newProduct = new product();
                if($newProduct->add($code,$product,$sale_type,$purchase_price,$sale_price,$min_stock,$stock)){
                    echo "success";
                }else{
                    echo "it cannot be added";
                }
            }
            else{
                echo "something went wrong";
            }
        break;

我的javascript函数

  function addProduct(){
   var code    = $('#code').val();
   var product = $('#product').val();
   var sale_type = $('#sale_type').val();
   var purchase_price  = $('#purchase_price').val();
   var sale_price = $('#sale_price').val();
   var min_stock  = $('#min_stock').val();
   var max_stock = $('#max_stock').val();
   var valCheck = verificar();
     if(valCheck == true){
      $.ajax({
              url: '../controller/product_controller.php',
              type: 'POST',
              data: 'code='+code+'&product='+product+'&sale_type='+sale_type+'&purchase_price='+purchase_price+'&sale_price='+sale_price+'&min_stock='+min_stock+'&max_stock='+max_stock+'&boton=add_product',
      }).done(function(ans){
      if(ans == 'success'){
              $('#code,#product,#purchase_price,#sale_price').val("");
              $('#sale_type').val('0');
              $('#min_stock,#max_stock').val('0');
              $('#success').show().delay(2000).fadeOut();
              searchProduct('','1');
      }else{
              alert(ans);
        }
      })
    } 
    else {
     }
}

XSS code in database datable

Answer 1

在显示数据库中的数据时，请使用htmlspecialchars() 函数。

我该怎么做才能防止xss代码？

1 个答案: