PHP³ÌÐòÔ±×îÒ×·¸10ÖÖ´íÎó

PHPÊǸöΰ´óµÄweb¿ª·¢ÓïÑÔ£¬Áé»îµÄÓïÑÔ£¬µ«ÊÇ¿´µ½php³ÌÐòÔ±Öܶø¸´Ê¼µÄ·¸µÄһЩ´íÎó¡£ÎÒ×öÁËÏÂÃæÕâ¸öÁÐ±í£¬ÁгöÁËPHP³ÌÐòÔ±¾­³£·¸µÄ10ÖдíÎ󣬴ó¶àÊýºÍ°²È«Ïà¹Ø¡£¿´¿´Äã·¸Á˼¸ÖÖ
1.²»×ªÒâhtml entities
  Ò»¸ö»ù±¾µÄ³£Ê¶£ºËùÓв»¿ÉÐÅÈεÄÊäÈ루ÌرðÊÇÓû§´ÓformÖÐÌá½»µÄÊý¾Ý£© £¬Êä³ö֮ǰ¶¼Òª×ªÒâ¡£
echo $_GET['usename'] ;
Õâ¸öÀý×ÓÓпÉÄÜÊä³ö£º
<script>/*¸ü¸ÄadminÃÜÂëµÄ½Å±¾»òÉèÖÃcookieµÄ½Å±¾*/ </script>
ÕâÊÇÒ»¸öÃ÷ÏԵݲȫÒþ»¼£¬³ý·ÇÄã±£Ö¤ÄãµÄÓû§¶¼ÕýÈ·µÄÊäÈë¡£
ÈçºÎÐÞ¸´ £º
ÎÒÃÇÐèÒª½«" < ",">","and" µÈת»»³ÉÕýÈ·µÄHTML±íʾ( < , >', and ")£¬º¯Êýhtmlspecialchars ºÍ htmlentities()ÕýÊǸÉÕâ¸ö»îµÄ¡£
ÕýÈ·µÄ·½·¨£º
echo htmlspecialchars($_GET['username'], ENT_QUOTES);
2. ²»×ªÒâSQLÊäÈë
ÎÒÔø¾­ÔÚһƪÎÄÕÂÖÐ×î¼òµ¥µÄ·ÀÖ¹sql×¢ÈëµÄ·½·¨(php+mysqlÖÐ)ÌÖÂÛ¹ýÕâ¸öÎÊÌâ²¢¸ø³öÁËÒ»¸ö¼òµ¥µÄ·½·¨¡£ÓÐÈ˶ÔÎÒ˵£¬ËûÃÇÒѾ­ÔÚphp.iniÖн«magic_quotesÉèÖÃΪOn£¬ËùÒÔ²»±Øµ£ÐÄÕâ¸öÎÊÌ⣬µ«ÊDz»ÊÇËùÓеÄÊäÈ붼ÊÇ´Ó$_GET, $_POST»ò $_COOKIEÖеĵõ½µÄ£¡
ÈçºÎÐÞ¸´£º
ºÍÔÚ×î¼òµ¥µÄ·ÀÖ¹sql×¢ÈëµÄ·½·¨(php+mysqlÖÐ)ÖÐÒ»ÑùÎÒ»¹ÊÇÍƼöʹÓÃmysql_real_escape_string()º¯Êý
ÕýÈ·×ö·¨£º
<?php
$sql = "UPDATE users SET
name='.mysql_real_escape_string($name).'
WHERE id='.mysql_real_escape_string ($id).'";
mysql_query($sql);
?>
3.´íÎóµÄʹÓÃHTTP-header Ïà¹ØµÄº¯Êý: header(), session_start(), setcookie()
Óö