doulutian4843 2017-05-10 09:19
浏览 69
已采纳

PHP从表单获取内容,将其写入php文件并显示正确的HTML,但不执行PHP代码

I have a blogsystem where users can enter a name for a free url and the content which should be displayed on the url.

So.. the html-tags have to be rendered in browser but when they write php-code or other similar things they should not be executed when the user then visits the new site.

Right now I do it like this:

$new_url = $_POST["newurl"];
$header = file_get_contents("./header.php");
$part1 = "<?php echo html_entity_decode(\"";
$content = htmlspecialchars($_POST["content"]);
$part2 = "\");     ?>";
$footer = file_get_contents("./footer.php");
file_put_contents("./$new_url".".php",$header.$part1.$content.$part2.$footer);

Like that the html is rendered correctly in the users browser when he calls domain.tld/"url-he-entered".php

But I am unsure if this is a safe way or could the user still enter php-code in the content and it would be executed when he loads the new url?

  • 写回答

1条回答 默认 最新

  • doudu6100 2017-05-16 20:36
    关注

    The comments from @CD001 solved the issue:

    The whole idea is a security nightmare anyway mind - ideally you don't want a public facing application able to write anything within the DOCROOT unless you've got a really good handle on the security. You'd be better off storing whatever they enter in a database then using mod_rewrite to hijack the URLs so that whatever the user's URL is, it pulls in your PHP but drops in their sanitised content from the DB (you could use something like http://htmlpurifier.org/).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 酬劳2w元求合作写文章
  • ¥15 在现有系统基础上增加功能
  • ¥15 远程桌面文档内容复制粘贴,格式会变化
  • ¥15 关于#java#的问题:找一份能快速看完mooc视频的代码
  • ¥15 这种微信登录授权 谁可以做啊
  • ¥15 请问我该如何添加自己的数据去运行蚁群算法代码
  • ¥20 用HslCommunication 连接欧姆龙 plc有时会连接失败。报异常为“未知错误”
  • ¥15 网络设备配置与管理这个该怎么弄
  • ¥20 机器学习能否像多层线性模型一样处理嵌套数据
  • ¥20 西门子S7-Graph,S7-300,梯形图