贝宝PHP IPN示例引用了哪些POST序列化问题? [英] What POST serialization issues does PayPal PHP IPN example refer to?

问题描述

PayPal用于PHP IPN侦听器的示例代码在顶部具有以下注释/代码:

PayPal's sample code for a PHP IPN listener has this comment/code at the top:

// reading posted data from directly from $_POST causes serialization 
// issues with array data in POST
// reading raw POST data from input stream instead. 
$raw_post_data = file_get_contents('php://input');
$raw_post_array = explode('&', $raw_post_data);
$myPost = array();
foreach ($raw_post_array as $keyval) {
  $keyval = explode ('=', $keyval);
  if (count($keyval) == 2)
     $myPost[$keyval[0]] = urldecode($keyval[1]);
}

有人可以解释此注释涉及的序列化问题吗?虽然我可以这样做，但是知道为什么要这样做时，我会感到更加自在.

Can someone explain what serialization issues this comment refers to? While I'm ok doing it this way, I would feel more comfortable knowing why it should be done this way.

推荐答案

我无法告诉您paypal的动机，但是我可以猜测:php喜欢更改http请求中传入变量的键.

I can't tell you paypals motivations, but I can guess: php likes to change the keys of incoming variables from an http request.

例如，名称a.b [将显示为$_POST['a_b__']. php将用下划线替换空格，圆点和方括号: 来源: http://php.net/manual/en/language.variables. external.php

For example, the name a.b [ would show up as $_POST['a_b__']. php will replace spaces, dots, and open brackets with underscores: source: http://php.net/manual/en/language.variables.external.php

此外，php会将变量名称中格式良好的匹配括号解析为嵌套数组.例如，arr[a][b]将显示为$_POST['a']['b']. http://php.net/manual/en/faq. html.php#faq.html.arrays

Also, php will parse well formed matching brackets in variable names into nested arrays. eg, arr[a][b] would show up as $_POST['a']['b']. http://php.net/manual/en/faq.html.php#faq.html.arrays

此外，当括号格式不正确时，php会表现出各种疯狂的错误: https://bugs.php.net/bug.php?id=48597

Also, php behaves all kinds of crazy and buggy when brackets aren't well formed: https://bugs.php.net/bug.php?id=48597

此外，magic_quotes_gpc过去在每个php安装中都有其功能，在某些情况下也会更改变量的名称. http://php.net/manual/en/security.magicquotes.php

Also, magic_quotes_gpc used to have its talons into every php installation, changing the names of variables in certain cases too. http://php.net/manual/en/security.magicquotes.php

此外，php具有arg_seperator.input设置，有些人喜欢将其设置为&而不只是&.贝宝(Paypal)无法知道您更喜欢哪个，并且显然总是使用& http://php.net/manual/zh/ini.core.php#ini.arg-separator.input

Also, php has the arg_seperator.input setting, and some people like to set this to & instead of just &. Paypal cannot know which you prefer, and would obviously always use & http://php.net/manual/en/ini.core.php#ini.arg-separator.input

此外，尽管做法不好，但在php中，代码/库自动修改诸如$_POST之类的请求输入的情况并不少见，例如xss清理"它们或其他类似的交叉问题.

Also, despite being bad practice, it's not too uncommon in php for code/libraries to automatically modify the request inputs such as $_POST, eg to xss "sanitize" them or other such cross cutting concerns.

通过手动解析输入，可以避免所有这些潜在的问题.这一决定似乎对他们而言是一项很好的工程.

By parsing the input manually, you avoid all those potential issues. This decision seems like good engineering on their part.

这篇关于贝宝PHP IPN示例引用了哪些POST序列化问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！