dongmei9508 2010-10-28 00:30
浏览 78
已采纳

如何使用PHP防止URL表单字段中的HTML注入?

For example if I am colecting a [URL value] in a form, saving that [URL value] in a database, and then using it in a page like this:

<a href="[URL value]" > The Link </a>

How do I protect against this [URL value]:

http://www.somelink.com"> Evil text or can be empty </a>  ALL THE EVIL HTML I WANT  <a href="

How can I protect against this kind of HTML injection for URL form fileds without breaking the URL in case it is valid ?

  • 写回答

5条回答 默认 最新

  • doufu6130 2010-10-28 00:34
    关注

    When receiving the URL on the form:

    • Use filter_var(url, FILTER_VALIDATE_URL) to ensure the URL is in a valid format.
    • Ensure the URL starts with http:// or https:// (or at least reject all javascript: URL as they can include malignant code)
    • Use prepared statements when inserting the URL (and other form data) in the database or properly escape that data to prevent SQL injections.


    When displaying the page:

    • Use htmlspecialchars() to escape the URL (and all other text) that you insert in the HTML.
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(4条)

报告相同问题?

悬赏问题

  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?
  • ¥15 求daily translation(DT)偏差订正方法的代码
  • ¥15 js调用html页面需要隐藏某个按钮
  • ¥15 ads仿真结果在圆图上是怎么读数的
  • ¥20 Cotex M3的调试和程序执行方式是什么样的?
  • ¥20 java项目连接sqlserver时报ssl相关错误
  • ¥15 一道python难题3
  • ¥15 牛顿斯科特系数表表示