Copy code The code is as follows:
echo("
search results for query:").
$_GET['query'].".
";
?>
The main problem with this code is that it displays the data submitted by the user directly on the web page, thus creating an XSS vulnerability. There are actually many ways to fill this hole. So, what code do we want?
Copy code The code is as follows:
echo("
search results for query:").
htmlspecialchars($_GET['query']).". p>";
?>
This is the minimum requirement. The XSS vulnerability was filled with the htmlspecialchars function, thus blocking illegal characters.
Copy code The code is as follows:
if(isset($_GET['query']))
echo'
search results for query:',
htmlspecialchars($ _GET['query'],ENT_QUOTES).'.
';
?>
People who can write such code should be the ones I want to hire:
**Check whether the $_GET['query'] value is empty before outputting it.
*The redundant parentheses in the echo command have been removed.
* Strings are qualified with single quotes, thus saving PHP time in searching for replaceable variables from the string.
* Use commas instead of periods to save echo time.
* Pass the ENT_QUOTES flag to the htmlspecialchars function to ensure that single quotes are also escaped. Although this is not the most important thing, it is also a good habit.
The above introduces the php code. The inferior PHP code is simplified, including the content of php code. I hope it will be helpful to friends who are interested in PHP tutorials.