便携式且安全的获取PATH_INFO的方法 [英] Portable and safe way to get PATH_INFO

问题描述

我正在寻找一种便携式方式来接收(方便的)$_SERVER['PATH_INFO']变量.

I'm seeking a portable way to receive the (handy) $_SERVER['PATH_INFO'] variable.

阅读一段时间后，发现PATH_INFO源自CGI/1.1，但我并不总是出现在所有配置中.

After reading a while, it turns out PATH_INFO is originated from CGI/1.1, and my not always be present in all configuration.

获取该变量的最佳方法(主要是从安全角度考虑)是什么-除了手动提取变量以外，(出于安全考虑).

What is the best (mostly security-wise) way to get that variable - apart from extracting it manually (security concern).

推荐答案

好吧，我(几乎)确信在不使用$_SERVER超全局键的情况下，提供一种替代方法来找出PATH_INFO只是这是不可能的，首先列出所有$ _SERVER密钥我们可能可能使用:

Well, I'm (almost) sure that without making use of the $_SERVER superglobal keys, providing a alternative way to figure out PATH_INFO is just impossible, that being said lets first list all of the $_SERVER keys that we may possibly use:

• 'PHP_SELF'
• "QUERY_STRING"
• "SCRIPT_FILENAME"
• 'PATH_TRANSLATED'
• "SCRIPT_NAME"
• 'REQUEST_URI'
• "PATH_INFO"
• 'ORIG_PATH_INFO'

我们显然需要忽略最后两个.现在，我们应该(我不知道这个事实，我只是假设是因为您这样说)过滤掉您提供的链接中存在的所有键(

We obviously need to ignore the last two. Now we should (I don't know this for a fact, I'm just assuming because you said so) filter all the keys that exist in the link you provided (which BTW is offline ATM), that leaves us with the following keys:

• 'PHP_SELF'
• "SCRIPT_FILENAME"
• 'REQUEST_URI'

关于您对安东尼的回答的评论:

您现在只是在处理变量. SCRIPT_FILENAME是CGI的一部分 规格如果以下情况将不可用 PATH_INFO不可用.至于 REQUEST_URI，它是apache的mod_rewrite 具体的. – LiraNuna

You are just juggling variables now. SCRIPT_FILENAME is a part of the CGI spec. It will not be available if PATH_INFO is unavailable. As for REQUEST_URI, it's apache's mod_rewrite specific. – LiraNuna

我正在使用PHP 5.3.0作为CGI运行 LightTPD/1.4.20-1(Win32)，cgi.fix_pathinfo = 1和$_SERVER['REQUEST_URI']对我来说非常有用，我还记得使用它以前没有人使用过相同的变量mod_rewrite，因此我诚实的谦虚猜测是，您在这一点上显然是错误的.关于SCRIPT_FILENAME键，我无法测试那个自动柜员机.不过，如果我们真的很努力地闭上眼睛，并相信您是对的，那么我们只剩下一个变量:

I'm running LightTPD/1.4.20-1 (Win32) with PHP 5.3.0 as CGI, cgi.fix_pathinfo = 1 and $_SERVER['REQUEST_URI'] is very available to me, I also remember using that same variable back in the days when no one used mod_rewrite so my honest humble guess is that you're plain wrong in this point. Regarding the SCRIPT_FILENAME key I'm unable to test that one out ATM. Still, if we close our eyes really hard and believe that you're right that leaves us with only one variable:

• 'PHP_SELF'

我并不是想在这里苛刻(并且我仍然相信还有更多解决方案)，但是如果PHP_SELF是您希望我们使用的唯一键(假设本身)，只剩下一种解决方案:

I'm not trying in being harsh here (and I still believe that there are more solutions) but if PHP_SELF is the only key you want us to work with (assuming there are no impositions on PHP_SELF itself) there is only one solution left:

function PATH_INFO()
{
 if (array_key_exists('PATH_INFO', $_SERVER) === true)
 {
  return $_SERVER['PATH_INFO'];
 }

 $whatToUse = basename(__FILE__); // see below

 return substr($_SERVER['PHP_SELF'], strpos($_SERVER['PHP_SELF'], $whatToUse) + strlen($whatToUse));
}

此函数应该可以工作，但是使用 __FILE__常量可能会出现一些问题，因为它返回声明了__FILE__常量的文件的路径，而不是所请求的PHP脚本的路径，因此这就是$ whatToUse的原因:因此，您可以用'SCRIPT_FILENAME' 替换它，或者如果您真的相信自己说的话，只需使用'.php' .

This function should work, however there may be some problems using the __FILE__ constant since it returns the path to the file where the __FILE__ constant is declared and not the path to the requested PHP script, so that's why the $whatToUse is there for: sou you can replace it with 'SCRIPT_FILENAME' or if you really believe in what you are saying, just use '.php'.

您还应该阅读有关为何不使用PHP_SELF 的内容.

如果这对您不起作用，对不起，但是我还能想到其他任何事情.

If this doesn't work for you, I'm sorry but I can think of anything else.

编辑-为您提供更多阅读材料:

• Drupal request_uri()(为什么他们一直说REQUEST_URI是特定于Apache的吗?)
• PHP_SELF vs PATH_INFO vs SCRIPT_NAME vs REQUEST_URI

• Drupal request_uri() (why do they keep saying REQUEST_URI is Apache specific?)
• PHP_SELF vs PATH_INFO vs SCRIPT_NAME vs REQUEST_URI

这篇关于便携式且安全的获取PATH_INFO的方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！