如何保护 $_SERVER['PHP_SELF']? [英] How to secure $_SERVER['PHP_SELF']?
问题描述
我使用下面的代码来控制分页.它使用 $_SERVER['PHP_SELF']
所以我想知道它是否安全,或者我必须做什么才能使 $_SERVER['PHP_SELF']
安全?
I am using this code below to control pagination. It's using $_SERVER['PHP_SELF']
so I wanted to know if its secure this way or what do I have to do to make $_SERVER['PHP_SELF']
secure?
<?php
if($rows > 10) {
echo '<a id=nex href="'.$_SERVER['PHP_SELF'].'?pg='.($startrow+10).'">
Next</a>';
}
$prev = $startrow - 10;
if ($prev >= 0) {
echo '<a id=pex href="'.$_SERVER['PHP_SELF'].'?pg='.$prev.'">
Previous</a>';
}
?>
推荐答案
为了防止 XSS 攻击,你应该使用 htmlspecialchars()
或 filter_input()
来转义 $_SERVER['PHP_SELF']
.有关详细信息,请参阅此问题.
To prevent XSS attacks, you should use htmlspecialchars()
or filter_input()
to escape $_SERVER['PHP_SELF']
. See this question for more info.
还要注意,如果你以 ?
开头的 href
属性没有路径,浏览器会将后续的查询字符串附加到当前请求中,就像一个相对链接将附加到同一目录.
Note also that if you start an href
attribute with ?
and no path, the browser will append the subsequent query string to the current request, much like a relative link would append to the same directory.
我假设您正在对其他地方的 $prev
和 $startrow
进行消毒.数学比较应该使它们安全,但如果它们来自 $_GET,最好在执行任何其他操作之前通过 intval()
运行它们.
I'm assuming that you're sanitizing $prev
and $startrow
elsewhere. The mathematical comparisons should make them safe, but if they're coming from $_GET it's a good idea to run them through intval()
before you do anything else.
这篇关于如何保护 $_SERVER['PHP_SELF']?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!