http://blog.csdn.net/flyhawk007blog/article/details/2502172这个网址说了用“<form action=”/fwolf/temp/test.php/a=1″> <input type=”submit” name=”submit” value=”submit” /> </form>显然,这已经超出了我们的期望,web服务器居然没有产生诸如404之类的错误,页面正常执行了,并且在生成的html代码中居然有用户可以输入的部分,恐怖的地方就在这里。别小看那个“a=1”,如果把它换成一段js代码,就显得更危险了,比如这么调用: http://…/test.php/%22%3E%3Cscript%3Ealert(’xss’)%3C/script%3E%3Cfoo ”这样子的,会显示javascript的alert()的结果的为什么我的程序中没有呢<?php
include "Library/checkEmail.inc"; // 我自己编的程序,用来检验邮箱地址的
if (isset($_POST['submit'])) {
$name = htmlentities($_POST['name']);
$email = htmlentities($_POST['email']);
$languages = $_POST['languages']; printf("Hi %s<br />", $name);
if (validateEmail($email)) {
printf("The address %s is valid!<br />", $email);
} else {
printf("The address <strong>%s</strong> is invalid!<br />", $email);
}
echo 'You like the following languages:<br />';
foreach ($languages as $language) {
$language = htmlentities($language);
echo $language . '<br />';
}
}
?><form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table>
<tr>
<td>用户名:</td>
<td><input type="text" name="user"/></td>
</tr>
<tr>
<td>电子邮件地址:</td>
<td><input type="text" id="email" name="email" size="20" maxlength="40"/></td>
</tr>
<tr>
<td>What's your favorite programming languages?:</td>
<td>
<input type="checkbox" name="languages[]" value="Csharp"/>C#<br />
<input type="checkbox" name="languages[]" value="Java"/>Java<br />
<input type="checkbox" name="languages[]" value="PHP"/>PHP<br />
<input type="checkbox" name="languages[]" value="Perl"/>Perl<br />
<input type="checkbox" name="languages[]" value="HTML"/>HTML<br />
<input type="checkbox" name="languages[]" value="CSS"/>CSS<br />
</td>
</tr>
<tr><td><input type="submit" value="提交" name="submit"/></td></tr>
</table>
</form>
我在打开的网页地址中输入http://localhost/PHPProject/index.php/%22%3E%3Cscript%3Ealert(’xss’)%3C/script%3E%3Cfoo也不行的
include "Library/checkEmail.inc"; // 我自己编的程序,用来检验邮箱地址的
if (isset($_POST['submit'])) {
$name = htmlentities($_POST['name']);
$email = htmlentities($_POST['email']);
$languages = $_POST['languages']; printf("Hi %s<br />", $name);
if (validateEmail($email)) {
printf("The address %s is valid!<br />", $email);
} else {
printf("The address <strong>%s</strong> is invalid!<br />", $email);
}
echo 'You like the following languages:<br />';
foreach ($languages as $language) {
$language = htmlentities($language);
echo $language . '<br />';
}
}
?><form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table>
<tr>
<td>用户名:</td>
<td><input type="text" name="user"/></td>
</tr>
<tr>
<td>电子邮件地址:</td>
<td><input type="text" id="email" name="email" size="20" maxlength="40"/></td>
</tr>
<tr>
<td>What's your favorite programming languages?:</td>
<td>
<input type="checkbox" name="languages[]" value="Csharp"/>C#<br />
<input type="checkbox" name="languages[]" value="Java"/>Java<br />
<input type="checkbox" name="languages[]" value="PHP"/>PHP<br />
<input type="checkbox" name="languages[]" value="Perl"/>Perl<br />
<input type="checkbox" name="languages[]" value="HTML"/>HTML<br />
<input type="checkbox" name="languages[]" value="CSS"/>CSS<br />
</td>
</tr>
<tr><td><input type="submit" value="提交" name="submit"/></td></tr>
</table>
</form>
我在打开的网页地址中输入http://localhost/PHPProject/index.php/%22%3E%3Cscript%3Ealert(’xss’)%3C/script%3E%3Cfoo也不行的
也不知道你那篇玩意是从哪里抓取过来的,简直是一派胡言$_SERVER['PHP_SELF'] 表示的是当前页面程序相对于网站根的全路径文件名
注意是“文件名”而不是 URL!所以不可能带有 ?a=1 之类 url 的东西