PHP安全$ _GET与否 [英] PHP safe $_GET or not
问题描述
我们有网址:
http://site.com/index.php?action=show
$ _ GET ['action']
检查?action =
的值:
switch($ _GET [' action']){
case =show{
$ match_show = true;
以及其他地方:
echo $ _GET ['action'];
使用这种结构绝对安全吗?
如何让他们安全?
谢谢。
开关事情没问题,因为您正在比较硬编码值(但是,它是 caseshow:
btw)。
由于@Bruce在评论中提到,您应该添加默认值:
大小写捕获不在列表中的值或空值:
switch($ _GET ['action']){
caseshow:
$ match_show = true;
休息;
默认值:
//值不在列表中。相应地做出反应。
回显操作'未知的值。
$ / code>
第二件事可能是危险的,因为它可能是可能的将HTML和更重要的JavaScript注入到文档主体中。您应该在回应变量之前对变量应用 htmlspecialchars()
。
We have url:
http://site.com/index.php?action=show
$_GET['action']
is used in templates to check value of ?action=
:
switch ($_GET['action']) {
case = "show" {
$match_show = true;
}
}
and in other place:
echo $_GET['action'];
Is it absolutely safe to use this constructions?
How to make them safe?
Thanks.
The switch thing is okay, because you are comparing against a hard-coded value (however, it's case "show":
btw).
As @Bruce mentions in the comments, you should add a default:
case as well to catch values that are not on the list, or empty values:
switch ($_GET['action']) {
case "show":
$match_show = true;
break;
default:
// value is not on the list. React accordingly.
echo "Unknown value for 'action'".
}
The second thing is potentially dangerous, as it would be possible to inject HTML and more importantly, JavaScript into the document body. You should apply a htmlspecialchars()
on the variable before echoing it.
这篇关于PHP安全$ _GET与否的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!