刚刚说到XSS攻击.
刚说到XSS攻击..
我记得我之前做一个项目.就给检测出存在XSS攻击。
开始我没有过滤提交的内容。
后来foreach 循环过滤每一个变量$_GET...$_POST...,发现不行。
然后只好写了个函数 直接检测 $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"] 判断直接 exit...
不知道大家都是怎么处理这个问题的...
------解决方案--------------------
htmlspecialchars过滤
------解决方案--------------------
htmlspecialchars
------解决方案--------------------
------解决方案--------------------
- PHP code
<?php $array = array("hello"=>"dsa");foreach($array as &$value){ $value = htmlspecialchars($value);}var_dump($array);array(1) { ["hello"]=> &string(11) "dsa<>"}<br><font color="#e78608">------解决方案--------------------</font><br>------解决方案--------------------
给你这三个函数,你根据需求稍加修改就好了,以后要获取内容的时候不管是get还是post传值都用这样的方法来获取:
$变量名=Toget('参数名或表单内的项目名');
- PHP code
//函数:获取数据//参数:表单名,是否需要转译Function Toget($__k,$Slash=True){ IF($__k==""){Return False;} IF(Array_key_exists($__k,$_REQUEST)){ $Value=IsSet($_POST["".$__k.""])?$_POST["".$__k.""]:$_GET["".$__k.""]; }Else{ Return False; } IF(Is_array($Value)){ $Value=Array_Filter($Value,'_nul'); }Else{ $Value=Trim($Value); IF($Value==""){Return False;} } IF($Slash){ $Value=Addlash($Value); } //反馈结果 IF(Is_array($Value)){Return $Value;} IF($Value=="" Or !Isset($Value)){ Return False; }Else{ Return $Value; }}function Addlash($Str){ !Defined('MAGIC_QUOTES_GPC') && Define('MAGIC_QUOTES_GPC',get_magic_quotes_gpc()); IF(!MAGIC_QUOTES_GPC){ IF(Is_array($Str)){ $keys=array_keys($Str); Foreach($keys as $key){ $val=$Str[$key];unset($Str[$key]); $Str[addslashes($key)]=Addlash($val); } }Else{ $Str=addslashes($Str); } } Return $Str;}//清理数组中的空值//用法:Print_r (Array_Filter($Arr,'_nul'));Function _nul($param){ Return ($param!="") ? True : False;}<br><font color="#e78608">------解决方案--------------------</font><br>这个得mark一下,继续~<br><font color="#e78608">------解决方案--------------------</font><br>XSS又叫CSS (Cross Site Script) ,跨站脚本攻击。它指的是恶意攻击者往Web页面里插入恶意脚本代码,当用户浏览该页之时,嵌入其中Web里面的脚本代码会被执行,从而达到恶意攻击用户的特殊目的。XSS属于被动式的攻击,因为其被动且不好利用,所以许多人常忽略其危害性。<br><br>服务器端脚本防止 XSS 的唯一手段是检查传入的数据中是否有 script 标记<br>当然,攻击者还有 n 多的手段去直接在你的页面中嵌入恶意代码。这就不是服务器端脚本能解决的问题了<br>简单的用 htmlspecialchars 处理一下,只适合于其后只将传入的数据作为字符串显示的场合。<br>由于 <script xss></script><br>对于 #7 的 <img src alt="刚刚说到XSS攻击." >显然使用的检测算法不是最大匹配算法,而是简单的包含算法<br>虽无大错,但误判率升高。宁可错杀三千,不可放过一个<br><br><br><br><br><font color="#e78608">------解决方案--------------------</font><br>
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Detailed explanation of the usage of return in C language
Oct 07, 2023 am 10:58 AM
The usage of return in C language is: 1. For functions whose return value type is void, you can use the return statement to end the execution of the function early; 2. For functions whose return value type is not void, the function of the return statement is to end the execution of the function. The result is returned to the caller; 3. End the execution of the function early. Inside the function, we can use the return statement to end the execution of the function early, even if the function does not return a value.
What is the execution order of return and finally statements in Java?
Apr 25, 2023 pm 07:55 PM
Source code: publicclassReturnFinallyDemo{publicstaticvoidmain(String[]args){System.out.println(case1());}publicstaticintcase1(){intx;try{x=1;returnx;}finally{x=3;}}}#Output The output of the above code can simply conclude: return is executed before finally. Let's take a look at what happens at the bytecode level. The following intercepts part of the bytecode of the case1 method, and compares the source code to annotate the meaning of each instruction in
Sort array using Array.Sort function in C#
Nov 18, 2023 am 10:37 AM
Title: Example of using the Array.Sort function to sort an array in C# Text: In C#, array is a commonly used data structure, and it is often necessary to sort the array. C# provides the Array class, which has the Sort method to conveniently sort arrays. This article will demonstrate how to use the Array.Sort function in C# to sort an array and provide specific code examples. First, we need to understand the basic usage of the Array.Sort function. Array.So
php提交表单通过后,弹出的对话框怎样在当前页弹出,该如何解决
Jun 13, 2016 am 10:23 AM
php提交表单通过后,弹出的对话框怎样在当前页弹出php提交表单通过后,弹出的对话框怎样在当前页弹出而不是在空白页弹出?想实现这样的效果:而不是空白页弹出:------解决方案--------------------如果你的验证用PHP在后端,那么就用Ajax;仅供参考:HTML code
Simple and clear method to use PHP array_merge_recursive() function
Jun 27, 2023 pm 01:48 PM
When programming in PHP, we often need to merge arrays. PHP provides the array_merge() function to complete array merging, but when the same key exists in the array, this function will overwrite the original value. In order to solve this problem, PHP also provides an array_merge_recursive() function in the language, which can merge arrays and retain the values of the same keys, making the program design more flexible. array_merge
How to use the array_combine function in PHP to combine two arrays into an associative array
Jun 26, 2023 pm 01:41 PM
In PHP, there are many powerful array functions that can make array operations more convenient and faster. When we need to combine two arrays into an associative array, we can use PHP's array_combine function to achieve this operation. This function is actually used to combine the keys of one array as the values of another array into a new associative array. Next, we will explain how to use the array_combine function in PHP to combine two arrays into an associative array. Learn about array_comb
How does Vue3 use setup syntax sugar to refuse to write return
May 12, 2023 pm 06:34 PM
Vue3.2 setup syntax sugar is a compile-time syntax sugar that uses the combined API in a single file component (SFC) to solve the cumbersome setup in Vue3.0. The declared variables, functions, and content introduced by import are exposed through return, so that they can be used in Vue3.0. Problems in use 1. There is no need to return declared variables, functions and content introduced by import during use. You can use syntactic sugar //import the content introduced import{getToday}from'./utils'//variable constmsg='Hello !'//function func
Detailed explanation of JavaScript function return values and return statements
Aug 04, 2022 am 09:46 AM
JavaScript functions provide two interfaces to interact with the outside world. The parameters serve as the entrance to receive external information; the return value serves as the outlet to feed back the operation results to the outside world. The following article will take you to understand the JavaScript function return value and briefly analyze the usage of the return statement. I hope it will be helpful to you!
