过滤函数绕过-XSS
addslashes() -过滤 ' \ --绕过 <svg/onload=alert(1)>
1 //insert.html --输入 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <title></title> 6 </head> 7 <body> 8 <form action=Inset.php method="post"> 9 <textarea name="text" id="text"></textarea><br/> 10 <button type="submit" onclick="getValue()">提交</button> 11 12 </form> 13 <script> 14 function getValue(){ 15 var x = document.getElementById("text"); 16 if(x.value == ''){ 17 alert('输入框不能为空'); 18 } 19 20 } 21 </script> 22 </body> 23 </html>View Code
1 //处理 2 <?php 3 $txt = $_POST['text']; 4 if($txt == null) { 5 header("location:insert.html"); 6 } 7 $con = mysqli_connect("localhost","root","root","test"); 8 $sql = "UPDATE tt SET ttNum = '$txt' WHERE ID = 2"; 9 $result = mysqli_query($con,$sql); 10 if($result){ 11 header("location:main.html"); 12 } 13 ?>View Code
1 //main.html --显示取值 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <title></title> 6 </head> 7 <body> 8 <p>Welcome!</p> 9 <?php 10 $con = mysqli_connect("localhost","root","root","test"); 11 $sql = "select * from tt where ID=2"; 12 $result = mysqli_query($con,$sql); 13 if($result){ 14 $row = mysqli_fetch_assoc($result); 15 $str = $row['ttNum']; 16 echo addslashes($str); 17 } 18 ?> 19 </body> 20 </html>View Code
SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。
更多精彩
