PHP ?? ?? ???? PHP ?? ??
1. PHP ?? ??
? ???? PHP? ???? ?????? ??? ?? ???? ???? ??? ?????.
??: PHP ??? ??? ?? ??? ???? ???. ? ???? ??? ??? ???? ?? PHP ?? ???? ?? ??? ?????. ??? ?? ??? ?? ??? ???? ???.
? ?? ??? HTML ???? ?? ? ?? ??? ??, ??? ??, ?? ?? ?? ?? ??? ???? ????.
2. ?? ?
??? ??? ????.
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>php.cn</title>
<style>
.error {color: #FF0000;}
</style>
</head>
<body>
<?php
// 定義變量并默認(rèn)設(shè)置為空值
$nameErr = $emailErr = $genderErr = $websiteErr = "";
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
if (empty($_POST["name"]))
{
$nameErr = "名字是必需的";
}
else
{
$name = test_input($_POST["name"]);
// 檢測名字是否只包含字母跟空格
if (!preg_match("/^[a-zA-Z ]*$/",$name))
{
$nameErr = "只允許字母和空格";
}
}
if (empty($_POST["email"]))
{
$emailErr = "郵箱是必需的";
}
else
{
$email = test_input($_POST["email"]);
// 檢測郵箱是否合法
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email))
{
$emailErr = "非法郵箱格式";
}
}
if (empty($_POST["website"]))
{
$website = "";
}
else
{
$website = test_input($_POST["website"]);
// 檢測 URL 地址是否合法
if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$website))
{
$websiteErr = "非法的 URL 的地址";
}
}
if (empty($_POST["comment"]))
{
$comment = "";
}
else
{
$comment = test_input($_POST["comment"]);
}
if (empty($_POST["gender"]))
{
$genderErr = "性別是必需的";
}
else
{
$gender = test_input($_POST["gender"]);
}
}
function test_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
<h2>PHP 表單驗證實例</h2>
<p><span class="error">* 必需字段。</span></p>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
名字: <input type="text" name="name" value="<?php echo $name;?>">
<span class="error">* <?php echo $nameErr;?></span>
<br><br>
E-mail: <input type="text" name="email" value="<?php echo $email;?>">
<span class="error">* <?php echo $emailErr;?></span>
<br><br>
網(wǎng)址: <input type="text" name="website" value="<?php echo $website;?>">
<span class="error"><?php echo $websiteErr;?></span>
<br><br>
備注: <textarea name="comment" rows="5" cols="40"><?php echo $comment;?></textarea>
<br><br>
性別:
<input type="radio" name="gender" <?php if (isset($gender) && $gender=="female") echo "checked";?> value="female">女
<input type="radio" name="gender" <?php if (isset($gender) && $gender=="male") echo "checked";?> value="male">男
<span class="error">* <?php echo $genderErr;?></span>
<br><br>
<input type="submit" name="submit" value="Submit">
</form>
<?php
echo "<h2>您輸入的內(nèi)容是:</h2>";
echo $name;
echo "<br>";
echo $email;
echo "<br>";
echo $website;
echo "<br>";
echo $comment;
echo "<br>";
echo $gender;
?>
</body>
</html>?? ??? ???? ????.
3. ?? ??
1. ?? ??
2. ??? ??
'??', '???', '????' ??? ??? ?? ????, '??'? " ??? ??? ?????. HTML ??? ??? ????.
"Name": <input type="text" name="name">
E-mail: <input type="text" name ="email">
????: <input type="text" name="website">
??: <textarea name="comment" ?="5 " cols="40"></textarea>
3. ??? ??
"??" ??? ??? ???? HTML ??? ??? ????.
??:
<input type="radio" name="gender" value="female">??
<input type="radio" name="gender" value="male">??
4. ?? ??
HTML ?? ??? ??? ????.
<form method="post" action="<?php echo htmlspecialchars($_SERVER[ "PHP_SELF "]);?>">
? ??? ???? ???? ?? method="post" ???? ?????.
??: $_SERVER["PHP_SELF"] ??? ??????
$_SERVER["PHP_SELF"]? ?? ?? ?? ?? ??? ???? ?? ?? ?????. ???? ? ?? ?? ??.
??? $_SERVER["PHP_SELF"]? ?? ???? ???? ?? ?? ???? ?? ???? ????.
??:
htmlspecialchars() ???? ??????
htmlspecialchars() ??? ?? ??? ?? ??? HTML ???? ?????.
?? ??? ??? ??? ????.
" ??) Be '-
& lt; (?) to be & lt; -
& gt; (greater) to be & gt ; - 5. PHP ???? ???? ? ?? ??????
- $_SERVER["PHP_SELF"] ??? ??? ??? ? ????!
??? ??? ??? ???? HTTP ??? ???? ???? ?? $_SERVER["PHP_SELF"] ?? ??? ????? ?????. ? ??? ??? ??? ????? ?? ?? ??? ???? $_SERVER["PHP_SELF"] ???? HTTP ?? ?? JavaScript ???? ??? ???? ?????. ??: XSS? ??? ??? ???? ??? CSS(Cross-Site Script)??? ???. ???? ???? ???? ???? ??? ? ???? HTML ??? ???? ? ???? ??? HTML ??? ?????? ???? ???? ??? ??? ?????.
- ?? ?? ?? ??? "test_form.php"? ?????.
- <form method="post" action="test_form.php">
- ??? ???? ???? ?? ???? ?? ??? ????? ?? ?????:
- <form method="post" action="test_form.php/"><script>alert('hacked')</script>
<script> ???? ?? JavaScript ??? ??? ? ????. ??? ?? ??? ???? ?? ??? ????? ? ????. ?? ??? ?? ??? ????? ???? ?? ???? ?? ? ????.
6. $_SERVER["PHP_SELF"] ??? ???? ??? ??????
$_SERVER["PHP_SELF"] ??? ????? htmlspecialchars() ??? ???? ???.
?? ??? ??? ????.
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"] ) ;?>">
htmlspecialchars() ?? ??? ?? ??? HTML ???? ?????. ?? ???? PHP_SELF ??? ????? ?? ??? ??? ?? ?????.
<form method="post" action="test_form.php/">< ;script>??('???')</script>">
? ???? ????? ??? ??????!
7. PHP? ???? ?? ??? ??? ??
?? PHP? htmlspecialchars() ??? ?? ???? ??? ?? ???? ?????.
htmlspecialchars() ??? ??? ?. , ???? ?? ???? ????? ???. ???:
<script>location.href('http://ipnx.cn')</script>
? ??? ??? ?? HTML ????? ??? ????? ???? ????.
<script>location.href('http:// ipnx.cn') </script>
? ??? ???? ???? ????? ????? ???? ??? ? ????.
???? ??? ???? ?? ? ?? ??? ?????.
PHP Trim() ??? ???? ???? ??(?: ??, ?)? ?????. , newlines) ??? ?? ?????
- PHP Stripslashes() ??? ???? ??? ?? ???()?? ????? ?????.
<?php
// 定義變量并默認(rèn)設(shè)置為空值
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
$name = test_input($_POST["name"]);
$email = test_input($_POST["email"]);
$website = test_input($_POST["website"]);
$comment = test_input($_POST["comment"]);
$gender = test_input($_POST["gender"]);
}
function test_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?> 4. ??? ????? ??? ? $_SERVER["REQUEST_METHOD"]? ???? ??? ?????? ?????. REQUEST_METHOD? POST?? ??? ???? ???? ???? ?????. ??? ???? ??? ??? ??? ???? ???? ?????. ? ???? ????? ??? ??????, ???? ??? ???? ???? ??? ????? ??? ? ????. ?? ???? ???? ??? ???? ???? ??? ???????.
