PHP 安全 $_GET 与否
我们有网址:
http://site.com/index.php?action=show
$_GET['action'] 用于模板中检查 ?action= 的值:
$_GET['action'] is used in templates to check value of ?action=:
switch ($_GET['action']) {
case = "show" {
$match_show = true;
}
}
在其他地方:
echo $_GET['action'];
使用这种结构绝对安全吗?
Is it absolutely safe to use this constructions?
如何使它们安全?
谢谢.
推荐答案
开关的事情是好的,因为你正在与一个硬编码的值进行比较(但是,它是 case "show": btw).
The switch thing is okay, because you are comparing against a hard-coded value (however, it's case "show": btw).
正如@Bruce 在评论中提到的,您还应该添加一个 default: 案例以捕获不在列表中的值或空值:
As @Bruce mentions in the comments, you should add a default: case as well to catch values that are not on the list, or empty values:
switch ($_GET['action']) {
case "show":
$match_show = true;
break;
default:
// value is not on the list. React accordingly.
echo "Unknown value for 'action'".
}
第二件事有潜在的危险,因为有可能将 HTML 和更重要的 JavaScript 注入到文档正文中.您应该在回显之前对变量应用 htmlspecialchars() .
The second thing is potentially dangerous, as it would be possible to inject HTML and more importantly, JavaScript into the document body. You should apply a htmlspecialchars() on the variable before echoing it.
相关文章