不要直接访问超全局 $_GET 数组 [英] Do not access superglobal $_GET array directly

问题描述

我是 PHP 新手，如果这是一个愚蠢的问题，请原谅我，但为什么我不应该直接访问超全局数组中的项目?NetBeans 警告我不要(见标题)，我在其他地方也读过同样的内容——但是我还没有找到一个好的解释.

I'm new to PHP, so forgive me if this is a stupid question but why should I not access items in the superglobal arrays directly? NetBeans warns me not to (see title), and I've read the same elsewhere -- however I haven't come across a good explanation yet.

会出什么问题?这是一个安全问题，比如 SQL 注入?还是别的什么?

What can go wrong? Is it a security concern, like SQL injection? Or something else?

StackOverflow 上有几个类似的问题，但没有一个答案能真正解释问题所在:他们只是建议使用 filter_input().这并不能让我满意，因为我喜欢知道事情是如何运作的.任何解释将不胜感激.

There are several similar questions on StackOverflow, but none of the answers actually explain what the problem is: they just suggest to use filter_input(). This doesn't satisfy me, since I like knowing how things work. Any explanation will be appreciated.

推荐答案

嗯，一般情况下直接使用超级全局变量是没有坏处的，

Well, in normal cases there's no harm of using the super global variables directly,

但为了安全起见并避免一长串可能的攻击，您应该过滤来自用户的数据，在您的应用程序中使用它们之前抛出这些变量

but to stay on the safe side and to avoid long list of possible attacks you should filter the data coming from the user throw those vars before using them in your application

这篇关于不要直接访问超全局 $_GET 数组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！