Basic ideas:
Write an independent program for each function, program page
Let customers know as little information as possible on your server side
Don't use the idea of "customers should write this" to think about the problem
Think of as many things as possible that cannot happen
1. Possible problems with interactive dynamic web pages
1.1 Form type interaction
1.1.1 Introduction to concepts
When we interact with visitors, the most commonly used form (post/get/put method). Although it is very convenient, many problems arise because of it.
The input flag in the form form
Used to accept information entered by users, such as: username, password, email, etc. If you don't check user input well, a malicious user
Will block some safety machines
to bypass safety certification. For example, entering a standard HTML statement or javascript statement will change the output result, and entering a standard HTML statement in the input box will
What kind of results will be obtained? For example, in a message book, we enter the content of our message: <fontsize=10>Hello! </font> If there is no screen in your program
Block html statements, then the "Hello" font will be changed
size. Changing the font size and stickers in the message book is sometimes not a bad thing, but it can make the message book vivid. But if you write it in the input box
JavaScript's dead loop, such as:
<aherf="http://someurl"onMouseover="while(1){window.close('/')}">The first thousand thrilling</a> Then check the message for others.
Just move the guests
If you move the mouse to "the first thousand thrilling", the user's browser will die due to the dead loop.
1.1.2 Key points of prevention
(1) Filter special characters
([/&;/`'///|"*?~<>^/(/)/[/]/{/}/$/n/r])///$1/g;), this is the most basic, and has been mentioned more than once in many places.
<scriptlanguage="vbscript">
subbuBotton_onclick
erm1.uUserName.value=""then
msgbox "Your name cannot be empty!",0+32,"Oh! Not yet possible"
form1.uUserName.focus
exitsub
endif
efform1.uPassword.value=""then
msgbox "Your password cannot be empty!",0+32,"Oh! Not yet possible"
form1.uPassword.focus
exitsub
endif
erm1.uUserName.value=""then
msgbox "Your name cannot be empty!",0+32,"Oh! Not yet possible"
form1.uUserName.focus
exitsub
endif
form1.submit
endsub
</script>
functionisEmpty(objname)
{
varstr=document.inputform[objname].value
vartmpstr=str.replace([/&;/`'///|"*?~<>^/(/)/[/]/{/}/$/n/r])///$1/g;,"")
vartmpstr=tmpstr.replace([/&;/`'///|"*?~<>^/(/)/[/]/{/}/$/n/r])///$1/g;,"")
return(tmpstr.length==0)
}
functioncheck()
{
tf=document.inputform
errors=""
if(isEmpty("username"))Errors+="Username cannot be empty./n";
if(isEmpty("password"))Errors+="Password cannot be empty!/n"
if(errors!="")
alert(errors);
return(errors=="")