我的网站上有一个我刚刚创建的表单,但我不确定如何保护它,当我用mysql_real_aescape_string包装变量时,它会阻止它们的回声。有人能看看我的脚本,告诉我缺陷在哪里,以及我如何纠正它们吗?感谢
<?php
$kop = $_POST['severity'];
$loc = $_POST['location'];
$summary = $_POST['summary'];
$name = $_POST['name'];
$email = $_POST['email'];
$to = 'support@.co.uk';
$subject = 'Bug Report';
$message = 'Kind of Problem ' . $kop . 'Location of Problem ' . $loc . 'Summary of Bug ' . $summary . 'Name ' . $name . 'Email Adress ' . $email;
$headers = 'From: .co.uk';
mail($to, $subject, $message, $headers);
echo "<meta http-equiv='"refresh'" content='"0;URL=/report-bug.php?msg=bugsuccess'">";
?>
<?php
$kop = trim(htmlspecialchars(str_replace(array("'r'n", "'r", "'0"), array("'n", "'n", ''), $_POST['severity']), ENT_COMPAT, 'UTF-8'));
$loc = trim(htmlspecialchars(str_replace(array("'r'n", "'r", "'0"), array("'n", "'n", ''), $_POST['location']), ENT_COMPAT, 'UTF-8'));
$summary = trim(htmlspecialchars(str_replace(array("'r'n", "'r", "'0"), array("'n", "'n", ''), $_POST['summary']), ENT_COMPAT, 'UTF-8'));
$name = trim(htmlspecialchars(str_replace(array("'r'n", "'r", "'0"), array("'n", "'n", ''), $_POST['name']), ENT_COMPAT, 'UTF-8'));
$email = trim(htmlspecialchars(str_replace(array("'r'n", "'r", "'0"), array("'n", "'n", ''), $_POST['email']), ENT_COMPAT, 'UTF-8'));
$to = 'support@.co.uk';
$subject = 'Bug Report';
$message = 'Kind of Problem ' . $kop . 'Location of Problem ' . $loc . 'Summary of Bug ' . $summary . 'Name ' . $name . 'Email Adress ' . $email;
$headers = 'From: .co.uk';
mail($to, $subject, $message, $headers);
echo "<meta http-equiv='"refresh'" content='"0;URL=/report-bug.php?msg=bugsuccess'">";
?>