通过 $_GET 注入位置标头的 php 安全性 [英] php security for location header injection via $_GET
问题描述
我的页面上有此代码:
header("Location: $page");
$page 作为 GET 变量传递给脚本,我需要任何安全措施吗?(如果有的话)
$page is passed to the script as a GET variable, do I need any security? (if so what)
我打算只使用addslashes() 但这会填满URL...
I was going to just use addslashes() but that would stuff up the URL...
推荐答案
我可以将你的用户转发到任何我喜欢的地方,如果我得到他们单击链接,这绝对是一个很大的安全漏洞(请登录 www.yoursite.com?page=badsite.com).现在考虑一个场景,其中 badsite.com 看起来与您的网站完全一样,只是它捕获了您用户的凭据.
I could forward your users anywhere I like if I get them to click a link, which is definitely a big security flaw (Please login on www.yoursite.com?page=badsite.com). Now think of a scenario where badsite.com looks exactly like your site, except that it catches your user's credentials.
你最好在你的代码中定义一个 $urls
数组,并且只将索引传递给该数组中的一个条目,例如:
You're better off defining a $urls
array in your code and passing only the index to an entry in that array, for example:
$urls = array(
'pageName1' => '/link/to/page/number/1',
'pageNumber2' => '/link/to/page/number/2',
'fancyPageName3' => '/link/to/page/number/3',
);
# Now your URL can look like this:
# www.yoursite.com?page=pageName1
这篇关于通过 $_GET 注入位置标头的 php 安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!