Javascript 使用PHP创建新的PHP文件
我有一个动态管理面板,我需要实现一个功能,以帮助用户添加一个新的类别或子类别页面 我有一个表单,用户在其中输入类别的名称、图像和类别的描述。我希望整个页面是动态的,但结果却是静态的。我想不出在新创建的页面上运行查询的方法Javascript 使用PHP创建新的PHP文件,javascript,php,jquery,mysql,Javascript,Php,Jquery,Mysql,我有一个动态管理面板,我需要实现一个功能,以帮助用户添加一个新的类别或子类别页面 我有一个表单,用户在其中输入类别的名称、图像和类别的描述。我希望整个页面是动态的,但结果却是静态的。我想不出在新创建的页面上运行查询的方法 <script src="ckeditor/ckeditor.js"></script> <?php include'header.php'; include'connection.php'; ?> <script src="htt
<script src="ckeditor/ckeditor.js"></script>
<?php
include'header.php';
include'connection.php';
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<script>
function CreateURL()
{
var CatName = document.getElementById("Catname").value;
var URL = CatName.toLowerCase();
var replacedString = URL.replace(/ /g, "-");
var FinalURL = replacedString + ".php";
var a = document.getElementById("CreatedURl");
a.value = FinalURL;
}
</script>
<?php
if(isset($_POST['sub']))
{
$catname=$_POST['category_name'];
$url=$_POST['url'];
$desc=$_POST['category_description'];
$myFile = "../$url"; // or .php
$fh = fopen($myFile, 'w');
$stringData = "<?php \n";
$stringData .= "include'header.php' \n";
$stringData .= "?> \n";
$stringData .= "<div class='clearfix mb5'></div> \n";
$stringData .= "<div class='inner-banner'><img src='images/inner-banner.jpg' alt='' class='img-responsive' id='innban' /></div> \n";
$stringData .= "<div class='clearfix'></div> \n";
$stringData .= "<h1 class='fl'></h1> <p class='clearfix'></p> <div class='tree'> \n";
$stringData .= "<div class='breadcrumb_outer hidden-xs'> \n";
$stringData .= "<div class='container'> \n";
$stringData .= "<ul class='breadcrumb'> \n";
$stringData .= "<li class='pl5'><a class='brd' href='index.php'>Home</a></li><li id='brt' class='active'><?php echo $catname; ?></li> \n";
$stringData .= "</ul> \n";
$stringData .= "</div> \n";
$stringData .= "</div> \n";
$stringData .= "<div itemscope='' itemtype='http://data-vocabulary.org/Breadcrumb' class='dib'><span itemprop='title'></span></div> \n";
$stringData .= "</div> \n";
$stringData .= "<div class='container'> \n";
$stringData .= "<div class='mid_area'> \n";
$stringData .= "<div class='pl5 pr5'> \n";
$stringData .="<div class='row'> \n";
$stringData .= "<div class='col-md-9' style='background-color:#deebf7;'> \n";
$stringData .= "<h1 class='mb20'><?php echo $catname; ?></h1> \n";
$stringData .= "<p1 class='innertext'> \n";
$stringData .= "<?php echo $desc; ?> \n";
$stringData .= "</p1> \n";
$stringData .= "<br> \n";
$stringData .= "<br> \n";
$stringData .= "<p2 class='innertex'>Please click the adjacent tool bar to explore the <?php echo $catname; ?> undertaken by Racon Marine. </p2> \n";
$stringData .= "<?php include'sidebar.php'; ?> \n";
$stringData .= "<div class='clearfix mb10'></div> \n";
$stringData .= "</div></div></div></div><br><br><br> \n";
$stringData .= "<?php include'footer.php'; ?>";
fwrite($fh, $stringData);
$dir=explode(".",$url);
$image = $_FILES['image']['name'];
$temp_name = $_FILES['image']['tmp_name'];
move_uploaded_file($temp_name, "homethumbs/$image");
$sql="INSERT INTO category(name,image,url,description) VALUES('$catname','$image','$url','$desc')";
$query = mysqli_query($conn, $sql);
if($query)
{
$directoryName = "../".$dir[0];
if(!is_dir($directoryName)){
//Directory does not exist, so lets create it.
mkdir($directoryName, 0755, true);
}
echo"<script> alert('Category added successfully...');</script>";
}
else
{
echo"<script> alert('Unsuccessful..');</script>";
}
fclose($fh);
}
?>
<div class="content">
<div id="content">
<div class="breadcrumb_sitepanel"><a href="dashboard.php">Home</a> »
<a href="categories.php">Back To Listing</a> » Add Category </a></div>
<div class="box">
<div class="heading">
<h1><img src="image/category.png" alt="" /> Add Category</h1>
<div class="buttons"><a href="categories.php" class="button" ><span>Cancel</span></a></div>
</div>
<div class="content">
<form action="" enctype="multipart/form-data" method="post" accept-charset="utf-8">
<div id="tab_pinfo">
<table width="90%" class="form" cellpadding="3" cellspacing="3">
<tr><th colspan="2" align="center" > </th></tr>
<tr class="trOdd">
<td height="26" align="right" ><span class="required">*</span> Name :</td>
<td>
<input type="text" name="category_name" value="" class="url_creator" placeholder="Your Catgeory Name" size="40" id="Catname" required /> <a href="#" class="url_from_title" onclick="CreateURL()">Create URL</a><br />
<div id="error_url_creator" class="red"></div>
</td>
</tr>
<tr class="trOdd">
<td height="26" align="right"><span class="required">**</span>
Page URL :</td>
<td>
<div class="seo_url">
<input type="text" id="CreatedURl" name="url" required/>
</div>
<div id="error_friendly_url" class="red"></div>
</td>
</tr>
<tr class="trOdd">
<td width="28%" height="26" align="right" >Image :</td>
<td align="left"><input type="file" name="image" required/><br /><br />[ ( File should be .jpg, .png, .gif format and file size should not be more then 1 MB (1024 KB)) ( Best image size 225X218) ]</td>
</tr>
<tr class="trOdd">
<td width="28%" height="26" align="right" >Alt :</td>
<td align="left"><input type="text" name="category_alt" value="" /><br /></td>
</tr>
<tr class="trOdd">
<td height="26" align="right"> Description :</td>
<td><textarea class="ckeditor" name="category_description" rows="5" cols="50" id="cat_desc" required></textarea></td>
</tr>
<tr class="trOdd">
<td align="left"> </td>
<td align="left">
<input type="submit" name="sub" value="Add" class="button2" />
</td>
</tr>
</table>
</div>
</form> </div>
</div>
</div>
</div>
</div>
<div id="footer">Racon Marine © 2017 All Rights Reserved.</div>
</body></html>
函数CreateURL()
{
var CatName=document.getElementById(“CatName”).value;
var URL=CatName.toLowerCase();
var replacedString=URL.replace(//g,“-”);
var FinalURL=replacedString+“.php”;
var a=document.getElementById(“CreatedURl”);
a、 价值=最终价值;
}
而不是这个
$stringData.=“\n”
执行此操作,$stringData.=“$catname\n”提供的代码易受以下攻击:
- SQL注入攻击($catname未在任何地方验证)
- XSS攻击(任何人都可以将javascript发布到该站点)
- 任意代码上传攻击通过在不检查的情况下将任何数据传递到fopen(),$url变量可能包含恶意字符串,如../../../some_other_folder.php
考虑以下几点:
>强>验证用户输入< /强>(如果它将被馈送到FOPEN,删除斜杠,并考虑使用ReleSeHelCMD)
- 将用户数据存储在DB上而不是php文件上
- 磁盘速度慢请改用db
用户的输入未经验证,因此任何人都可以在数据库中任何表的任何字段上放置他们想要的任何内容,他们可以刷新数据库,等等。
这不好
我认为更好的方法是简单地接收来自用户的数据并将其存储在DB中,并结合使用.htaccess文件mod_rewrite重定向和单个php文件来处理所有动态请求
我曾经在那里,动态生成php文件,这不是一个好主意,不可扩展,一旦在一个文件夹中有数千个php文件,文件系统就会出现问题,FTP客户端就会变得迟钝,等等
此外,还有:
$fh = fopen($myFile, 'w');
$stringData = "<?php \n";
$stringData .= "include'header.php' \n";
$stringData .= "?> \n";
//some lines elided
$stringData .= "<?php echo $desc; ?> \n";
//vulnerability -------------^
//some lines elided
$stringData .= "</p1> \n";
fwrite($fh, $stringData);
$fh=fopen($myFile,'w');
$stringData=“\n”;
//有些线条被省略了
$stringData.=“\n”;
//脆弱性-------------^
//有些线条被省略了
$stringData.=“\n”;
fwrite($fh,$stringData);
任何人都可以将任何字节发送到$desc,这意味着他们可以将任意恶意php上传到服务器,并运行任意命令,例如,下载所有源代码,破坏网站等
除非用户的输入经过消毒,否则此代码将是危险的
HTH.我希望整个页面是动态的,但结果却是静态的,这是什么意思提示:您可以使用ob\u start()避免所有$stringData.=
连接?>…还应注意允许执行任意代码(如名为,
)的类别)所带来的安全隐患。因此,更好的解决方案是将类别存储在数据库中,并通过$\u GET参数在一个页面上访问所有类别。此处使用$\u GET参数的解释非常好。使用rewri也可以显示类别名称你对他的问题的回答是评论吗?
$fh = fopen($myFile, 'w');
$stringData = "<?php \n";
$stringData .= "include'header.php' \n";
$stringData .= "?> \n";
//some lines elided
$stringData .= "<?php echo $desc; ?> \n";
//vulnerability -------------^
//some lines elided
$stringData .= "</p1> \n";
fwrite($fh, $stringData);