当前位置: 动力学知识库 > 问答 > 编程问答 >

php - Preventing XSS with foreach loop

问题描述:

Is using a foreach safe to do or does this open up for more security leaks?

<?php

foreach ($_POST as $key=>$value){

$_POST[$key] = htmlspecialchars($_POST[$key]);

}

?>

<form method="POST" action="">

<input type="text" name="test" value="<?=isset($_POST['test'])?$_POST['test']:''?>"/>

<input type="submit" />

</form>

VS.

<?php

$_POST['test'] = htmlspecialchars($_POST['test']);

?>

<form method="POST" action="">

<input type="text" name="test" value="<?=isset($_POST['test'])?$_POST['test']:''?>"/>

<input type="submit" />

</form>

网友答案:

If the user tries to inject an array then htmlentities will generate a notice, you should check for a string before calling it, else:

Notice: Array to string conversion 

I have been using Acunetix(http://www.acunetix.com/), if you can afford it, it showed me flaws in my code

分享给朋友:
您可能感兴趣的文章:
随机阅读: