清理$ _GET参数以避免XSS和其他攻击 [英] Sanitize $_GET parameters to avoid XSS and other attacks
问题描述
我在php中有一个网站,该网站的确包含include()以便将内容嵌入模板中.要加载的页面在get参数中给出,我将".php"添加到参数的末尾并包含该页面.我需要做一些安全检查,以避免XSS或其他问题(因为我们没有数据库,所以不能进行mysql注入).我想到的是以下内容.
I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add ".php" to the end of the parameter and include that page. I need to do some security check to avoid XSS or other stuff (not mysql injection since we do not have a database). What I've come up with is the following.
$page = $_GET['page'];
if(!strpos(strtolower($page), 'http') || !strpos($page, '/') ||
!strpos($page, '\\') || !strpos($page, '..')) {
//append ".php" to $page and include the page
还有什么我可以做的事情来进一步净化我的输入吗?
Is there any other thing I can do to furtherly sanitize my input?
推荐答案
$page = preg_replace('/[^-a-zA-Z0-9_]/', '', $_GET['page']);
这可能是清理此问题的最快方法,它将花费一切并确保仅包含字母,数字,下划线或破折号.
Is probably the quickest way to sanitize this, this will take anything and make sure that it only contains letters, numbers, underscores or dashes.
这篇关于清理$ _GET参数以避免XSS和其他攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!