清理$ _GET参数以避免XSS和其他攻击 [英] Sanitize $_GET parameters to avoid XSS and other attacks

问题描述

我在php中有一个网站，该网站的确包含include()以便将内容嵌入模板中.要加载的页面在get参数中给出，我将".php"添加到参数的末尾并包含该页面.我需要做一些安全检查，以避免XSS或其他问题(因为我们没有数据库，所以不能进行mysql注入).我想到的是以下内容.

I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add ".php" to the end of the parameter and include that page. I need to do some security check to avoid XSS or other stuff (not mysql injection since we do not have a database). What I've come up with is the following.

$page = $_GET['page'];

if(!strpos(strtolower($page), 'http') || !strpos($page, '/') ||
    !strpos($page, '\\') || !strpos($page, '..')) {
        //append ".php" to $page and include the page

还有什么我可以做的事情来进一步净化我的输入吗?

Is there any other thing I can do to furtherly sanitize my input?

推荐答案

$page = preg_replace('/[^-a-zA-Z0-9_]/', '', $_GET['page']);

这可能是清理此问题的最快方法，它将花费一切并确保仅包含字母，数字，下划线或破折号.

Is probably the quickest way to sanitize this, this will take anything and make sure that it only contains letters, numbers, underscores or dashes.

这篇关于清理$ _GET参数以避免XSS和其他攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！