PHP 安全 $_GET 与否 [英] PHP safe $_GET or not

问题描述

我们有网址:

http://site.com/index.php?action=show

$_GET['action'] 用于模板中检查 ?action= 的值:

$_GET['action'] is used in templates to check value of ?action=:

switch ($_GET['action']) {
    case = "show" {
        $match_show = true;
    }
}

在其他地方:

echo $_GET['action'];

使用这种结构绝对安全吗?

Is it absolutely safe to use this constructions?

如何使它们安全?

谢谢.

推荐答案

开关的事情是好的，因为你正在与一个硬编码的值进行比较(但是，它是 case "show": btw).

The switch thing is okay, because you are comparing against a hard-coded value (however, it's case "show": btw).

正如@Bruce 在评论中提到的，您还应该添加一个 default: 案例以捕获不在列表中的值或空值:

As @Bruce mentions in the comments, you should add a default: case as well to catch values that are not on the list, or empty values:

switch ($_GET['action']) {

    case "show":
        $match_show = true;
        break;

    default: 
        // value is not on the list. React accordingly.
        echo "Unknown value for 'action'". 

}

第二件事有潜在的危险，因为有可能将 HTML 和更重要的 JavaScript 注入到文档正文中.您应该在回显之前对变量应用 htmlspecialchars() .

The second thing is potentially dangerous, as it would be possible to inject HTML and more importantly, JavaScript into the document body. You should apply a htmlspecialchars() on the variable before echoing it.

这篇关于PHP 安全 $_GET 与否的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！