使用 PHP_SELF 获取页面名称 - 危险吗? [英] Getting pagename using PHP_SELF - dangers?
问题描述
我正在考虑使用 PHP_SELF 来获取用户当前正在访问的页面的名称.我很清楚在表单操作等地方使用 PHP_SELF 的危险,尽管我不确定在 hrefs 中使用它会伤害什么?但这不是主要问题...无论如何.
I'm thinking of using PHP_SELF to grab the name of the page the user is currently visiting. I'm well aware of the dangers of using PHP_SELF in places like form actions, though I'm not sure where it would hurt to use in hrefs? But that's beside the main question . . . anyway.
使用 PHP_SELF 抓取用户所在的页面并使用 str_replace()
从中获取我需要的信息是否有任何危险?我想不出任何,但这当然是一个很好的提问的地方.;)
Are there any dangers in using PHP_SELF to grab the page the user is on and using str_replace()
to get the info I need from it? I can't think of any, but this is, of course a great place to ask. ;)
谢谢!
推荐答案
是的,可能是因为它是攻击者控制的变量.它可能导致诸如 xss 之类的漏洞.
Yes, it can be because it is an attacker controlled variable. It can lead to vulnerabilities such as xss.
<?php print $_SERVER['PHP_SELF']?>
http://localhost/self.php/<script>alert(1)</script>
如果可能,您应该使用攻击者无法控制的变量,例如 $_SERVER["SCRIPT_FILENAME"]
.还有其他几个,只需查看 phpinfo().
If possilbe you should use a variable that the attacker can't control like $_SERVER["SCRIPT_FILENAME"]
. There are a couple of others, just check the phpinfo().
这篇关于使用 PHP_SELF 获取页面名称 - 危险吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!