如何阻止人们在我的表单中放置代码?

时间:2016-06-07 01:53:03

标签: javascript php html mysql xss

所以,我有一个进入数据库的表单,然后这些值在页面上回显。我一直试图弄清楚如何通过表单禁用所有代码。

这是我的表格:

    <div id="postForm">
        <form method="post" action="post.php" id="messageForm" autocomplete="off">
            <table border="0" align="center">
                <tr><td id="formBlock"><span>Name</span></td>
                <td><input id="messageName" name="name" type="text" value="Anonymous" maxlength="32" required>
                    <input style="margin-right: -1px; margin-left: -4px;" type="submit" name="Submit" value="Send Message"></td></tr>
                <tr><td id="formBlock"><span>Title</span></td>
                    <td><input id="messageTitle" name="title" type="text" maxlength="32" width="20"></td></tr><br>
                <tr><td id="formBlock"><span>Message</span></td>
                    <td><textarea onkeyup="countChar(this)" name="message" rows="6" cols="50" form="messageForm" maxlength="2000" style="font-family: arial;" required></textarea></td></tr>
            </table>
        </form>
            <table align="center" style="width: 290px; border: 0px;">
                <td><div id="warningText" style="font-size: 10px; margin-top: -15px;">Please read the FAQ before posting!</div></td>
                <td><div id="messageText" style="font-size: 10px; margin-top: -15px; text-align: right;"></div></td>
            </table>
    </div>

这就是条目的回应方式:

   <div id="messages">
        <?php
            $servername = "localhost";
            $username = "user";
            $password = "pass";
            $dbname = "db_posts";
            $tablename = "posts";

            $conn = new mysqli($servername, $username, $password, $dbname);
            if ($conn->connect_error) {
                die("failed to connect: " . $conn->connect_error); 
            }

            $sql = "SELECT id, rating, name, title, message, date, time FROM posts ORDER BY date DESC, time DESC";
            $result = $conn->query($sql);


            if ($result->num_rows > 0) {
                while($row = $result->fetch_assoc()) {
                    echo "<br><div id='messageBar'><b><a class='rateup' href='index.php' data-id=' " . $row['id'] . " ' title='vote up'>&#9650;</a> ";
                    echo $row["rating"];
                    echo " <a class='ratedown' href='index.php' title='vote down'>&#9660;</a> </b>";
                    echo "Posted by <b>";
                    echo $row["name"];
                    echo "</b> on ";
                    echo $row["date"];
                    echo " at ";
                    echo $row["time"];
                    if (!empty($row['title'])) {
                        echo " - <b>";
                        echo $row["title"];
                        echo "</b>";
                    }
                    echo "<span style='float: right'>#";
                    echo $row["id"];
                    echo "</span>";
                    echo "</div><div id='messageContent'>";
                    echo $row["message"];
                    echo "</div><br><hr>";
                }
            } else {
                echo "<br>";
                echo "<center><i>it's dusty in here</i></center>";
                echo "<br>";
            }

            $conn->close();
        ?>
    </div>

我确信我能更好地回应所有这些数据,所以如果有人有任何建议,请随时告诉我。

TL; DR:如果有人在我的表单中输入<b>text</b>,我希望它像<b>text</b>一样回应。

1 个答案:

答案 0 :(得分:-1)

将用户数据渲染到屏幕时对其进行编码是最常见的。我不使用php,但您可以使用htmlentities()函数。

这样,任何可以在浏览器中被解释为命令的字符都被编码为完全按照原来输入的方式显示。

相关问题
最新问题