The following section of the "poor" PHP code is a simplified test question. This is like a question: how do you optimize this code?
The code is as follows:
Echo ("
Search results for query :").
$ _ GET ['query']. ".
";
?>
The main problem with this code is that it directly displays the data submitted by the user on the webpage, resulting in an XSS vulnerability. There are actually many ways to fill this vulnerability. So what code is what we want?
The code is as follows:
Echo ("
Search results for query :").
Htmlspecialchars ($ _ GET ['query']). ".
";
?>
This is the minimum requirement. The XSS vulnerability is filled by the htmlspecialchars function, thus blocking invalid characters.
The code is as follows:
If (isset ($ _ GET ['query'])
Echo'
Search results for query :',
Htmlspecialchars ($ _ GET ['query'], ENT_QUOTES ).'.
';
?>
The person who can write this code should be the one I want to hire:
* * Determine whether the $ _ GET ['query'] value is null before outputting it.
* The extra parentheses in the echo command are removed.
* The string is limited by single quotes, which saves PHP time to search for replaceable variables from the string.
* Use commas instead of periods to save the echo time.
* The ENT_QUOTES identifier is passed to the htmlspecialchars function to ensure that single quotes are escaped. Although this is not the most important one, it is also a good habit.