如何防止包含的 PHP 脚本更改位置 URL?
我包含了一个更改 URL 的 PHP 脚本。
// index.php
ob_start();
include "script.php";
// This script redirects using header("Location:");
$out = ob_get_clean();
// I use the $out data for calculations
echo $out;
有没有一种简单的方法来对抗或撤消这种不需要的重定向? 怎么样:
header("Location: index.php"); // redirect back to self
但这会导致无限的重定向循环......有什么想法吗?
或者有没有办法从 $out 缓冲区中删除 header() 调用,以防止它到达客户端?
I'm including a PHP script that changes the URL.
// index.php
ob_start();
include "script.php";
// This script redirects using header("Location:");
$out = ob_get_clean();
// I use the $out data for calculations
echo $out;
Is there a simple way to counter or undo this unwanted redirect? How about:
header("Location: index.php"); // redirect back to self
But this causes an endless redirect loop... any ideas?
Or is there a way to strip out the header() calls from the $out buffer, preventing it from ever reaching the client?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
仅供以后参考。 从 PHP 5.3 开始,有一个名为 header_remove() 的新函数这有助于处理此类情况。
Just for future references. As of PHP 5.3 there's a new function called header_remove() which helps dealing with such situations.
您可以尝试用无效值覆盖该标头字段,例如:
但我不知道客户端对此有何反应。
You could try to overwrite that header field with an invalid value, such as:
But I don’t know how the clients react on that.
确实没有一个好的方法可以做到这一点。 我想到两件事:
There isn't really a good way to do that. Two things come to mind:
首先将文件作为变量包含在
file_get_contents()中,去掉不需要的标头,然后使用 PHP 代码运行它(我不会提到用于将 PHP 字符串解析为 PHP 的邪恶词)怎么样?代码)?What about including the file first as a variable with
file_get_contents(), stripping out the unwanted headers and then running it with PHP code (I won't mention the evil word used to parse a PHP string as PHP code)?如果您没有 PHP5.3(您可能没有),Gumbo 的答案 不起作用,并且您不想使用 eval,那么我能看到的唯一其他选项是使用流。 然而,这是另一种更灵活但更复杂的评估形式。 Streams 与 tokenizer 结合,您将能够获得用一个简单的方法摆脱该函数调用:
If you don't have PHP5.3 at your disposal (you probably don't), Gumbo's answer does not work and you don't want to use eval, then the only other option I can see, is the use of streams. This is however yet another, more flexible but complex, form of eval. Streams, combined with tokenizer, and you'll be able to get rid of that function call with a simple:
由于在输出字符串之前您已经拥有了完整的文本,因此您可以通过搜索和替换(例如使用正则表达式)简单地删除所需的标题。
Since you have the complete text in a string before you output it, you can simple remove the headers you want with a search and replace (using a regex for example).