Php5 and mysql5 web development technology-6 form-processing user input

Creating and processing forms is an important capability indicator for web developers. This chapter focuses on creating and processing forms. 1. Difference Between GET and POST. The GET method does not support any characters other than ASCII characters and requires encoding (url_encode (), url_decode (). Some browsers can automatically complete this operation. 2. A dozen frequently used form elements should be kept in mind. 3. Check the submission Source: $ ref = $ _ SERVER ['HTTP _ referer'] SERVER address: $ srv = {$ _ SERVER ['server _ name']} {$ _ SERVER ['php _ SELF ']} if (strcmp ($ ref, $ srv) = 0) Security 4. Data Transmission on multiple pages: hidden element data in the form is stored in the session data and stored in the database 5. Do not expect users to input data as needed, we need to verify it on the client and server. Avoid repeated forms: (1) Client js (2) cookie (3) session (4) header () function switching to form expiration processing (avoid page data loss after error submission) 6. Form Security Prevention XSS attack: www.2cto.com htmlspecialchars () first convert '<> & html encoding htmlentitles () to any html hypertext entity, mainly to filter the output (filter js step tag) strip_tags () remove any html code and use session_regenerate_id () to change sessionid whenever the permission level changes. Prevent SQL injection: mysql_escape_sstring () mysql_real_escape_sstring () 7. Development security code user input verification advanced verification ctype data filtering-pecl filter Extension input_get () file path detection magic reference magic_quote_gpc, do not advocate this Law