Copy codeThe Code is as follows:
<?
Echo ("<p> search results for query :").
$ _ GET ['query']. ". </p> ";
?>
The main problem with this Code is that it directly displays the data submitted by the user on the webpage, resulting in an XSS vulnerability. There are actually many ways to fill this vulnerability. So what code is what we want?
Copy codeThe Code is as follows:
<?
Echo ("<p> search results for query :").
Htmlspecialchars ($ _ GET ['query']). ". </p> ";
?>
This is the minimum requirement. The XSS vulnerability is filled by the htmlspecialchars function, thus blocking invalid characters.
Copy codeThe Code is as follows:
<? Php
If (isset ($ _ GET ['query'])
Echo '<p> search results for query :',
Htmlspecialchars ($ _ GET ['query'], ENT_QUOTES). '. </p> ';
?>
The person who can write this code should be the one I want to hire:
* <? Replaced with <? Php, which is more in line with XML specifications.
* Determine whether the $ _ GET ['query'] value is null before outputting it.
* The extra parentheses in the echo command are removed.
* The string is limited by single quotes, which saves PHP time to search for replaceable variables from the string.
* Use commas instead of periods to save the echo time.
* The ENT_QUOTES identifier is passed to the htmlspecialchars function to ensure that single quotes are escaped. Although this is not the most important one, it is also a good habit.