Php 保护API请求表单?
好的,我有以下php:Php 保护API请求表单?,php,Php,好的,我有以下php: <?php //function to return nice url's for our pdf's function seoUrl($string) { //Lower case everything $string = strtolower($string); //Make alphanumeric (removes all other characters) $string = preg_replace("/[
<?php
//function to return nice url's for our pdf's
function seoUrl($string) {
//Lower case everything
$string = strtolower($string);
//Make alphanumeric (removes all other characters)
$string = preg_replace("/[^a-z0-9_\s-]/", "", $string);
//Clean up multiple dashes or whitespaces
$string = preg_replace("/[\s-]+/", " ", $string);
//Convert whitespaces and underscore to dash
$string = preg_replace("/[\s_]/", "-", $string);
return $string;
}
//Set up our POST variables
$name = $_POST['name'];
$address1 = $_POST['address1'];
$address2 = $_POST['address2'];
$zipcode = str_replace(' ', '',$_POST['zipcode']);
//Store your XML Request in a variable
$input_xml = urlencode('<ExternalReturnLabelRequest>
<CustomerName>'.$name .'</CustomerName>
<CustomerAddress1>'.$address1.'</CustomerAddress1>
<CustomerAddress2>'.$address2.'</CustomerAddress2>
<CustomerCity>Washington</CustomerCity>
<CustomerState>DC</CustomerState>
<CustomerZipCode>'.$zipcode.'</CustomerZipCode>
<LabelFormat>NOI</LabelFormat>
<LabelDefinition>Zebra-4X6</LabelDefinition>
<ServiceTypeCode>020</ServiceTypeCode>
<AddressOverrideNotification>false</AddressOverrideNotification>
<CallCenterOrSelfService>Customer</CallCenterOrSelfService>
<AddressValidation>false</AddressValidation>
</ExternalReturnLabelRequest>');
//start Curl tried file_get_contents but to no avail..
$curl_handle=curl_init();
curl_setopt($curl_handle, CURLOPT_URL,"https://returns.usps.com/Services/ExternalCreateReturnLabel.svc/ExternalCreateReturnLabel?externalReturnLabelRequest=".$input_xml);
curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT, 2);
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, 1);
$query = curl_exec($curl_handle);
curl_close($curl_handle);
//decode the response this will fail if nothing returned
$pdfdecode = base64_decode($query);
if($pdfdecode != false){
$urlfriendlyname = seoUrl($name);
$myFile = "labels/labelfor".$urlfriendlyname.$zipcode.".pdf";
$fh = fopen($myFile, 'w') or die("can't open file");
fwrite($fh, $pdfdecode);
fclose($fh);
header("Location: http://thedarkroom.com/wp-content/themes/thedarkroom2012/".$myFile);
exit();
/*
MID 201198
*/
}else{
header("Location: http://thedarkroom.com/label/?labelerror=".$query);
exit();
}
echo "<pre>";
var_dump($pdfdecode);
var_dump($query);
echo "</pre>";
必须检查并清理服务器上的所有数据。总是。也不例外
逃避潜在的危险人物。根据使用数据的上下文和使用的服务器平台的不同,您应该谨慎使用的特定字符也会有所不同,但所有服务器端语言都有相应的功能
限制传入的数据量,只允许必要的数据
沙盒上载的文件(将它们存储在不同的服务器上,并且只允许通过不同的子域或更好地通过完全不同的域名访问文件)
要防止跨站点伪造,请参阅本文
定义“固定”。你想阻止什么?真的不确定,因为我不完全确定这可能有什么黑客行为。。。我假设有关于表单的最佳实践……这对于Stackoverflow来说是一个太宽泛的问题。从这是怎么回事开始研究吧,我不是在问一个开放式的问题,我是在问如何保护表单。“保护表单”是一个非常大的话题。有很多不同的攻击可以针对他们。完美正是我所寻找的!
<form method="POST" action="<?php echo get_template_directory_uri(); ?>/get_labels.php" >
<fieldset id="labelfields">
<label for="name">Name</label><br>
<input name="name" type="text" placeholder="Name"/> <br>
<label for="address1">Address Line one</label>
<input name="address1" type="text" placeholder="Address line one"/><br>
<label for="address2">Address Line two</label>
<input name="address2" type="text" placeholder="Address line two"/><br>
<label for="zipcode">Zip code</label>
<input name="zipcode" type="text" placeholder="Zip Code"/><br>
<label for="CustomerState">State</label>
<input name="CustomerState" type="text" placeholder="State"/><br>
<label for="CustomerCity">City</label>
<input name="CustomerCity" type="text" placeholder="City"/><br>
<input type="submit" value="Create Label" />
</fieldset>
</form>