#### #### 1-xss注入 提交的表单不过滤就保存入库会造成xss注入 xss注入的例子 ~~~ if($_POST){ $data=array(); foreach($_POST as $key=>$val){ $data[$key]=$val; } $User = new \app\index\model\User; $res=$User->validate(true)->allowField(true)->save($data); if($res){ $this->success("报名成功!"); }else{ $error=$User->getError()?$User->getError():"报名失败!"; $this->error($error); } } ~~~ 处理方法 ~~~ if($_POST){ $data=array(); foreach($_POST as $key=>$val){ //过滤 $data[$key]=safe_replace($val); } $User = new \app\index\model\User; $res=$User->validate(true)->allowField(true)->save($data); if($res){ $this->success("报名成功!"); }else{ $error=$User->getError()?$User->getError():"报名失败!"; $this->error($error); } } ~~~ #### 2.sql注入 $id=input('id'); $where["id"]=$id; $info=db('Category')->where($where)->find(); #### 防范 ~~~ $id=input('id'); if(!($id && is_numeric($id))){ $this->error('分类ID错误!'); } $where["id"]=$id; $info=db('Category')->where($where)->find(); ~~~