doulutian4843 2017-05-10 09:19
浏览 69
已采纳

PHP从表单获取内容,将其写入php文件并显示正确的HTML,但不执行PHP代码

I have a blogsystem where users can enter a name for a free url and the content which should be displayed on the url.

So.. the html-tags have to be rendered in browser but when they write php-code or other similar things they should not be executed when the user then visits the new site.

Right now I do it like this:

$new_url = $_POST["newurl"];
$header = file_get_contents("./header.php");
$part1 = "<?php echo html_entity_decode(\"";
$content = htmlspecialchars($_POST["content"]);
$part2 = "\");     ?>";
$footer = file_get_contents("./footer.php");
file_put_contents("./$new_url".".php",$header.$part1.$content.$part2.$footer);

Like that the html is rendered correctly in the users browser when he calls domain.tld/"url-he-entered".php

But I am unsure if this is a safe way or could the user still enter php-code in the content and it would be executed when he loads the new url?

  • 写回答

1条回答 默认 最新

  • doudu6100 2017-05-16 20:36
    关注

    The comments from @CD001 solved the issue:

    The whole idea is a security nightmare anyway mind - ideally you don't want a public facing application able to write anything within the DOCROOT unless you've got a really good handle on the security. You'd be better off storing whatever they enter in a database then using mod_rewrite to hijack the URLs so that whatever the user's URL is, it pulls in your PHP but drops in their sanitised content from the DB (you could use something like http://htmlpurifier.org/).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题
  • ¥15 如何用Python爬取各高校教师公开的教育和工作经历
  • ¥15 TLE9879QXA40 电机驱动
  • ¥20 对于工程问题的非线性数学模型进行线性化
  • ¥15 Mirare PLUS 进行密钥认证?(详解)
  • ¥15 物体双站RCS和其组成阵列后的双站RCS关系验证
  • ¥20 想用ollama做一个自己的AI数据库
  • ¥15 关于qualoth编辑及缝合服装领子的问题解决方案探寻
  • ¥15 请问怎么才能复现这样的图呀