如何使用提取安全地创建PHP变量 [英] How to securely create PHP variables with extract
问题描述
在上一篇文章中,我问如何从数组创建变量( PHP用foreach制成的变量),我得到了几个答案,并且正在测试extract(),但是出于安全原因,我已经看到了一些反对它的方法.
现在我的问题是我如何安全地从$ _POST中使用提取,该$ _POST具有使用序列化jquery制成的数组.
安全"是指如果用户输入了错误的数据,则安全方法可以毫无问题地解决此问题.
PHP站点的extract命令中有一个小警告,内容如下:
请勿在不受信任的地方使用extract() 数据,例如用户输入(即$ _GET, $ _FILES等).例如,如果您这样做 如果您想运行旧代码 依靠register_globals 暂时,请确保您使用以下一种 非覆盖的extract_type 值,例如EXTR_SKIP,请注意 你应该提取相同的 在中定义的顺序 php.ini中的variables_order.
它警告使用,但至少没有提供一个示例,说明如何以安全的方式解决提取物的用户.
最好的选择是根本不使用extract().从PHP相当于编写安全代码的湿厕纸时代起,这是一个糟糕的设计决定.
这可能会很痛苦,但是写出一长串的序列会更好:
$var1 = $_POST['var1'];
$var2 = $_POST['var2'];
etc...
或在代码中的任何地方简单地使用$_POST['var1']和公司.
一旦您开始使用提取程序,无论您投入了多少时间/精力,您都在为恶意用户提供一种潜在的方式来编写代码.您不必在银行金库门上钻一个洞,因为每次打开门都要花一些钱,这太烦人了.一旦出现漏洞,就会被利用.
In my previous post i ask how to create variables from an array ( PHP Variables made with foreach ) i got several answers and i was testing extract() but i have seen several against it for security reasons.
Now my question here is how can i use extract in a secure way from a $_POST that has an array that was made using jquery serialized.
With secure i mean that if a user inputs the wrong data, the secure way can take care of that with no problems.
THe PHP Site has a small warning in the extract command the says the following:
Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.). If you do, for example if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.
It warns about the use but does not provide an example at least of how to solve the user of extract in a secure way.
The best option is to not use extract() at all. It's a bad design decision from the days when PHP was the equivalent of wet toilet paper for writing secure code.
It may be painful, but it is far better to write out a long sequence of:
$var1 = $_POST['var1'];
$var2 = $_POST['var2'];
etc...
or simply use $_POST['var1'] and company everywhere in your code.
As soon as you start using extract, you're giving malicious users a potential way into your code, no matter how much time/effort you put into it. You don't drill a hole through a bank vault door because it's too annoying to have to open the door each time to let some money out. Once there's a hole, it will be exploited.
这篇关于如何使用提取安全地创建PHP变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
