使用 PHP_SELF 获取页面名称 - 危险吗? [英] Getting pagename using PHP_SELF - dangers?

问题描述

我正在考虑使用 PHP_SELF 来获取用户当前正在访问的页面的名称.我很清楚在表单操作等地方使用 PHP_SELF 的危险，尽管我不确定在 hrefs 中使用它会伤害什么?但这不是主要问题...无论如何.

I'm thinking of using PHP_SELF to grab the name of the page the user is currently visiting. I'm well aware of the dangers of using PHP_SELF in places like form actions, though I'm not sure where it would hurt to use in hrefs? But that's beside the main question . . . anyway.

使用 PHP_SELF 抓取用户所在的页面并使用 str_replace() 从中获取我需要的信息是否有任何危险?我想不出任何，但这当然是一个很好的提问的地方.;)

Are there any dangers in using PHP_SELF to grab the page the user is on and using str_replace() to get the info I need from it? I can't think of any, but this is, of course a great place to ask. ;)

谢谢！

推荐答案

是的，可能是因为它是攻击者控制的变量.它可能导致诸如 xss 之类的漏洞.

Yes, it can be because it is an attacker controlled variable. It can lead to vulnerabilities such as xss.

<?php print $_SERVER['PHP_SELF']?>

http://localhost/self.php/<script>alert(1)</script>

如果可能，您应该使用攻击者无法控制的变量，例如 $_SERVER["SCRIPT_FILENAME"].还有其他几个，只需查看 phpinfo().

If possilbe you should use a variable that the attacker can't control like $_SERVER["SCRIPT_FILENAME"]. There are a couple of others, just check the phpinfo().

这篇关于使用 PHP_SELF 获取页面名称 - 危险吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！