如何保护 $_SERVER['PHP_SELF']? [英] How to secure $_SERVER['PHP_SELF']?

问题描述

我使用下面的代码来控制分页.它使用 $_SERVER['PHP_SELF'] 所以我想知道它是否安全，或者我必须做什么才能使 $_SERVER['PHP_SELF'] 安全?

I am using this code below to control pagination. It's using $_SERVER['PHP_SELF'] so I wanted to know if its secure this way or what do I have to do to make $_SERVER['PHP_SELF'] secure?

<?php 

    if($rows > 10) {
        echo '<a id=nex href="'.$_SERVER['PHP_SELF'].'?pg='.($startrow+10).'">
        Next</a>';
    } 

    $prev = $startrow - 10;

    if ($prev >= 0) {
        echo '<a id=pex href="'.$_SERVER['PHP_SELF'].'?pg='.$prev.'">
        Previous</a>';
    }

?>

推荐答案

为了防止 XSS 攻击，你应该使用 htmlspecialchars() 或 filter_input() 来转义 $_SERVER['PHP_SELF'].有关详细信息，请参阅此问题.

To prevent XSS attacks, you should use htmlspecialchars() or filter_input() to escape $_SERVER['PHP_SELF']. See this question for more info.

还要注意，如果你以 ? 开头的 href 属性没有路径，浏览器会将后续的查询字符串附加到当前请求中，就像一个相对链接将附加到同一目录.

Note also that if you start an href attribute with ? and no path, the browser will append the subsequent query string to the current request, much like a relative link would append to the same directory.

我假设您正在对其他地方的 $prev 和 $startrow 进行消毒.数学比较应该使它们安全，但如果它们来自 $_GET，最好在执行任何其他操作之前通过 intval() 运行它们.

I'm assuming that you're sanitizing $prev and $startrow elsewhere. The mathematical comparisons should make them safe, but if they're coming from $_GET it's a good idea to run them through intval() before you do anything else.

这篇关于如何保护 $_SERVER['PHP_SELF']?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！