Copy code The code is as follows:
echo("
search results for query:").
$_GET['query'].".
";
?>
The main problem with this code is that it displays the data submitted by the user directly to the web page, resulting in an XSS vulnerability. There are actually many ways to fill this hole. So, what code do we want?
Copy code The code is as follows:
echo("
search results for query: ").
htmlspecialchars($_GET['query']).".
";
?>
This is the minimum requirement. The XSS vulnerability was filled with the htmlspecialchars function, thus blocking illegal characters.
Copy code The code is as follows:
if(isset($_GET['query'] ))
echo'
search results for query:',
htmlspecialchars($_GET['query'],ENT_QUOTES).'.
';
?>
People who can write such code should be the ones I want to hire:
* was replaced with *Check whether the $_GET['query'] value is empty before outputting it.
*The redundant parentheses in the echo command have been removed.
* Strings are qualified with single quotes, thus saving PHP time searching for replaceable variables from the string.
* Use commas instead of periods to save echo time.
* Pass the ENT_QUOTES flag to the htmlspecialchars function to ensure that single quotes are also escaped. Although this is not the most important thing, it is also a good habit.
http://www.bkjia.com/PHPjc/321134.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/321134.htmlTechArticleCopy the code as follows: ? echo("psearch results for query:"). $_GET['query'] ."./p"; ? The main problem with this code is that it displays the user-submitted data directly on the web page, from...