将POST数据输出到<<<<&#E; EOT'

时间:2016-08-02 14:28:13

标签: php content-management-system fwrite eot

我正在制作内容管理系统。我允许用户通过表格发布一些信息,然后在新页面上使用(例如'页面标题''轮播速度') ,但我很难将这些信息传递到生成的页面中。

要使用$page .= <<<'EOT'添加网站的内容并将html放在那里,但尝试回显$_POST变量,这意味着PHP代码将按字面显示为I把它写在EOT里面而不是结果。

有没有办法告诉EOT将<?php echo $_POST['speed'] ?>视为例外?

<?php

    $addTo = $_POST['addTo'];
    //$visit = $_POST['visit'];
    $dir = $_POST['name'];
    $desc = $_POST['desc'];

    $dir = preg_replace('/\s+/', '_', $dir);

    mkdir($addTo.'/'.$dir, 0777);
    mkdir($addTo.'/'.$dir.'/photos', 0777);

    //Make page
    $content = "he";
    $myfile = fopen ($addTo.'/'.$dir.'/index.php', "w") or die ("Unable to open file!");
    $page = "";
    $speed = $_POST['speed'];



$page .= <<<'EOT'

<head>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
    <script src="https://code.jquery.com/jquery-3.1.0.min.js" integrity="sha256-cCueBR6CsyA4/9szpPfrX3s49M9vUU5BgtiJj06wt/s=" crossorigin="anonymous"></script>
    <script src="https://use.fontawesome.com/2c6a42bed3.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>

<body>

    <div id="myCarousel" class="carousel slide" data-ride="carousel">
      <!-- Indicators -->
      <ol class="carousel-indicators" style="display:none">
        <li data-target="#myCarousel" data-slide-to="0" class="active"></li>
        <li data-target="#myCarousel" data-slide-to="1"></li>
        <li data-target="#myCarousel" data-slide-to="2"></li>
        <li data-target="#myCarousel" data-slide-to="3"></li>
      </ol>

      <!-- Wrapper for slides -->
      <div class="carousel-inner" role="listbox">

        <?php

            $active = "active";
            $url = $_SERVER['REQUEST_URI'].'photos/';
            //echo $url." - url<br/>";

            $conn = mysqli_connect("localhost","root","","test");

            $sql = "SELECT speed FROM pages WHERE title = ''";

            if (mysqli_connect_errno()) {echo "Failed to connect to MySQL: " . mysqli_connect_error();}
            $sql = "SELECT * FROM photos WHERE url = '$url'"; 

            $result = mysqli_query($conn, $sql);

            while($row = mysqli_fetch_array($result)) {
                ?> 
                    <div class="item <?=$active?>">
                        <img src="<?php echo $row['url'].$row['caption']; ?>">
                    </div> 
                <?php

                $active="";

            }

            $conn->close();

        ?>

      </div>

      <!-- Left and right controls -->
      <a class="left carousel-control" href="#myCarousel" role="button" data-slide="prev">
        <span class="glyphicon glyphicon-chevron-left" aria-hidden="true"></span>
        <span class="sr-only">Previous</span>
      </a>
      <a class="right carousel-control" href="#myCarousel" role="button" data-slide="next">
        <span class="glyphicon glyphicon-chevron-right" aria-hidden="true"></span>
        <span class="sr-only">Next</span>
      </a>
    </div>




</body>
<script type="text/javascript">
    $(document).ready(function(){
         $("#myCarousel").carousel({
             interval : 420,
             pause: false
         });
    });
</script>

%s

EOT;


?> 
<?php

    $output = sprintf($page, $speed);
    echo $output;

    fwrite($myfile, $page);
    fclose($myfile);

    $conn = mysqli_connect("localhost","root","","test");

    if (mysqli_connect_errno()) {echo "Failed to connect to MySQL: " . mysqli_connect_error();}

    $sql = "INSERT INTO pages (title, type, description, active, speed) VALUES ('$dir', '$addTo','$desc' , '1', '$speed')";

    if ($conn->query($sql) === TRUE) {
        echo "New record created successfully";
    } else {
        echo "Error: " . $sql . "<br>" . $conn->error;
    }

    $conn->close();

    //Redirect
    if (isset($visit)){
        //header('Location:index.php?newPage='.$addTo.'/'.$dir.'/'.$filename);
    }

    else {
        //header('Location:index.php?newPage='.$addTo.'/'.$dir.'/'.$filename);
    }

?>

1 个答案:

答案 0 :(得分:1)

  

有没有办法告诉EOT将<?php echo视为一个   异常?

没有,除非您将'EOT'替换为"EOT"。第一个(您当前正在使用的)将所有内容视为原始字符串。第二个在PHP中用作双引号,因此将解析字符串并识别变量。

我将继续使用'EOT',并在字符串中插入占位符%s。然后,我使用sprintf将值替换为占位符(see the docs

// the %s will be replaced later with your values
$template = <<< 'EOT'
The car has speed %s and a mileage of %s ...
EOT;

//build the args. Use htmlspecialchars to protect your users from
// Cross-Site Scripting attacks
$args = [
    htmlspecialchars($_POST['speed']),
    htmlspecialchars($_POST['mileage']),
    ...
];

//insert the args into the template
$output = sprintf($template, ...$args);

echo $output;

安全提示:因为您输出了用户将您发回给浏览器的字符串,您很容易受到Cross-Site Scripting (XSS) attacks的攻击:用户可以让您的网站执行她想要的任何代码,因为您和#39;重新使用她的输入来构建页面。我使用htmlspecialchars()清理输入以保护您。

相关问题
最新问题