将 POST 数据输出到 <<<'EOT'
Outputting POST data into <<<'EOT'
我正在制作一个内容管理系统。我允许用户通过表单 post 一些信息,然后将在新页面上使用这些信息(例如 'page title' 和 'carousel speed'),但我正在努力将该信息放入生成的页面。
要添加网站的内容,我正在使用 $page .= <<<'EOT' 并将 html 放在那里,但试图在其中回显 $_POST 变量意味着 PHP 当我在 EOT 中编写代码时,代码将按字面意义出现,而不是结果。
有没有办法告诉 EOT 将 <?php echo $_POST['speed'] ?> 视为例外?
<?php
$addTo = $_POST['addTo'];
//$visit = $_POST['visit'];
$dir = $_POST['name'];
$desc = $_POST['desc'];
$dir = preg_replace('/\s+/', '_', $dir);
mkdir($addTo.'/'.$dir, 0777);
mkdir($addTo.'/'.$dir.'/photos', 0777);
//Make page
$content = "he";
$myfile = fopen ($addTo.'/'.$dir.'/index.php', "w") or die ("Unable to open file!");
$page = "";
$speed = $_POST['speed'];
$page .= <<<'EOT'
<head>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<script src="https://code.jquery.com/jquery-3.1.0.min.js" integrity="sha256-cCueBR6CsyA4/9szpPfrX3s49M9vUU5BgtiJj06wt/s=" crossorigin="anonymous"></script>
<script src="https://use.fontawesome.com/2c6a42bed3.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>
<div id="myCarousel" class="carousel slide" data-ride="carousel">
<!-- Indicators -->
<ol class="carousel-indicators" style="display:none">
<li data-target="#myCarousel" data-slide-to="0" class="active"></li>
<li data-target="#myCarousel" data-slide-to="1"></li>
<li data-target="#myCarousel" data-slide-to="2"></li>
<li data-target="#myCarousel" data-slide-to="3"></li>
</ol>
<!-- Wrapper for slides -->
<div class="carousel-inner" role="listbox">
<?php
$active = "active";
$url = $_SERVER['REQUEST_URI'].'photos/';
//echo $url." - url<br/>";
$conn = mysqli_connect("localhost","root","","test");
$sql = "SELECT speed FROM pages WHERE title = ''";
if (mysqli_connect_errno()) {echo "Failed to connect to MySQL: " . mysqli_connect_error();}
$sql = "SELECT * FROM photos WHERE url = '$url'";
$result = mysqli_query($conn, $sql);
while($row = mysqli_fetch_array($result)) {
?>
<div class="item <?=$active?>">
<img src="<?php echo $row['url'].$row['caption']; ?>">
</div>
<?php
$active="";
}
$conn->close();
?>
</div>
<!-- Left and right controls -->
<a class="left carousel-control" href="#myCarousel" role="button" data-slide="prev">
<span class="glyphicon glyphicon-chevron-left" aria-hidden="true"></span>
<span class="sr-only">Previous</span>
</a>
<a class="right carousel-control" href="#myCarousel" role="button" data-slide="next">
<span class="glyphicon glyphicon-chevron-right" aria-hidden="true"></span>
<span class="sr-only">Next</span>
</a>
</div>
</body>
<script type="text/javascript">
$(document).ready(function(){
$("#myCarousel").carousel({
interval : 420,
pause: false
});
});
</script>
%s
EOT;
?>
<?php
$output = sprintf($page, $speed);
echo $output;
fwrite($myfile, $page);
fclose($myfile);
$conn = mysqli_connect("localhost","root","","test");
if (mysqli_connect_errno()) {echo "Failed to connect to MySQL: " . mysqli_connect_error();}
$sql = "INSERT INTO pages (title, type, description, active, speed) VALUES ('$dir', '$addTo','$desc' , '1', '$speed')";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
//Redirect
if (isset($visit)){
//header('Location:index.php?newPage='.$addTo.'/'.$dir.'/'.$filename);
}
else {
//header('Location:index.php?newPage='.$addTo.'/'.$dir.'/'.$filename);
}
?>
Is there a way to tell the EOT to treat the <?php echo as an
exception?
不,没有,除非您将 'EOT' 替换为 "EOT"。第一个(您当前正在使用的)将所有内容都视为原始字符串。第二个与 PHP 中的双引号一样工作,因此将解析字符串并识别变量。
我会像你一样继续使用 'EOT',并在字符串中插入占位符 %s。然后我会使用 sprintf 将占位符替换为值 (see the docs)
// the %s will be replaced later with your values
$template = <<< 'EOT'
The car has speed %s and a mileage of %s ...
EOT;
//build the args. Use htmlspecialchars to protect your users from
// Cross-Site Scripting attacks
$args = [
htmlspecialchars($_POST['speed']),
htmlspecialchars($_POST['mileage']),
...
];
//insert the args into the template
$output = sprintf($template, ...$args);
echo $output;
安全说明: 因为你输出的字符串是用户发回给浏览器的,所以你很容易受到攻击 Cross-Site Scripting (XSS) attacks:用户可以让你的网站执行任何她想要的代码,因为您正在使用她的输入来构建页面。我用 htmlspecialchars() 清理了输入以保护你。
我正在制作一个内容管理系统。我允许用户通过表单 post 一些信息,然后将在新页面上使用这些信息(例如 'page title' 和 'carousel speed'),但我正在努力将该信息放入生成的页面。
要添加网站的内容,我正在使用 $page .= <<<'EOT' 并将 html 放在那里,但试图在其中回显 $_POST 变量意味着 PHP 当我在 EOT 中编写代码时,代码将按字面意义出现,而不是结果。
有没有办法告诉 EOT 将 <?php echo $_POST['speed'] ?> 视为例外?
<?php
$addTo = $_POST['addTo'];
//$visit = $_POST['visit'];
$dir = $_POST['name'];
$desc = $_POST['desc'];
$dir = preg_replace('/\s+/', '_', $dir);
mkdir($addTo.'/'.$dir, 0777);
mkdir($addTo.'/'.$dir.'/photos', 0777);
//Make page
$content = "he";
$myfile = fopen ($addTo.'/'.$dir.'/index.php', "w") or die ("Unable to open file!");
$page = "";
$speed = $_POST['speed'];
$page .= <<<'EOT'
<head>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<script src="https://code.jquery.com/jquery-3.1.0.min.js" integrity="sha256-cCueBR6CsyA4/9szpPfrX3s49M9vUU5BgtiJj06wt/s=" crossorigin="anonymous"></script>
<script src="https://use.fontawesome.com/2c6a42bed3.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>
<div id="myCarousel" class="carousel slide" data-ride="carousel">
<!-- Indicators -->
<ol class="carousel-indicators" style="display:none">
<li data-target="#myCarousel" data-slide-to="0" class="active"></li>
<li data-target="#myCarousel" data-slide-to="1"></li>
<li data-target="#myCarousel" data-slide-to="2"></li>
<li data-target="#myCarousel" data-slide-to="3"></li>
</ol>
<!-- Wrapper for slides -->
<div class="carousel-inner" role="listbox">
<?php
$active = "active";
$url = $_SERVER['REQUEST_URI'].'photos/';
//echo $url." - url<br/>";
$conn = mysqli_connect("localhost","root","","test");
$sql = "SELECT speed FROM pages WHERE title = ''";
if (mysqli_connect_errno()) {echo "Failed to connect to MySQL: " . mysqli_connect_error();}
$sql = "SELECT * FROM photos WHERE url = '$url'";
$result = mysqli_query($conn, $sql);
while($row = mysqli_fetch_array($result)) {
?>
<div class="item <?=$active?>">
<img src="<?php echo $row['url'].$row['caption']; ?>">
</div>
<?php
$active="";
}
$conn->close();
?>
</div>
<!-- Left and right controls -->
<a class="left carousel-control" href="#myCarousel" role="button" data-slide="prev">
<span class="glyphicon glyphicon-chevron-left" aria-hidden="true"></span>
<span class="sr-only">Previous</span>
</a>
<a class="right carousel-control" href="#myCarousel" role="button" data-slide="next">
<span class="glyphicon glyphicon-chevron-right" aria-hidden="true"></span>
<span class="sr-only">Next</span>
</a>
</div>
</body>
<script type="text/javascript">
$(document).ready(function(){
$("#myCarousel").carousel({
interval : 420,
pause: false
});
});
</script>
%s
EOT;
?>
<?php
$output = sprintf($page, $speed);
echo $output;
fwrite($myfile, $page);
fclose($myfile);
$conn = mysqli_connect("localhost","root","","test");
if (mysqli_connect_errno()) {echo "Failed to connect to MySQL: " . mysqli_connect_error();}
$sql = "INSERT INTO pages (title, type, description, active, speed) VALUES ('$dir', '$addTo','$desc' , '1', '$speed')";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
//Redirect
if (isset($visit)){
//header('Location:index.php?newPage='.$addTo.'/'.$dir.'/'.$filename);
}
else {
//header('Location:index.php?newPage='.$addTo.'/'.$dir.'/'.$filename);
}
?>
Is there a way to tell the EOT to treat the
<?php echoas an exception?
不,没有,除非您将 'EOT' 替换为 "EOT"。第一个(您当前正在使用的)将所有内容都视为原始字符串。第二个与 PHP 中的双引号一样工作,因此将解析字符串并识别变量。
我会像你一样继续使用 'EOT',并在字符串中插入占位符 %s。然后我会使用 sprintf 将占位符替换为值 (see the docs)
// the %s will be replaced later with your values
$template = <<< 'EOT'
The car has speed %s and a mileage of %s ...
EOT;
//build the args. Use htmlspecialchars to protect your users from
// Cross-Site Scripting attacks
$args = [
htmlspecialchars($_POST['speed']),
htmlspecialchars($_POST['mileage']),
...
];
//insert the args into the template
$output = sprintf($template, ...$args);
echo $output;
安全说明: 因为你输出的字符串是用户发回给浏览器的,所以你很容易受到攻击 Cross-Site Scripting (XSS) attacks:用户可以让你的网站执行任何她想要的代码,因为您正在使用她的输入来构建页面。我用 htmlspecialchars() 清理了输入以保护你。