这个重定向脚本会让我接受代码注入或远程文件包含吗?
最近,我看到一篇关于使用 PHP 脚本重定向联属链接的博客文章。这让我开始思考这个脚本是否安全。我听说使用 $_GET 变量可能会导致漏洞。
任何建议将不胜感激。检查输入中的字母数字和连字符(“-”)是否足以防止这种情况发生?
对于此脚本,链接的形式为:
http://www.somesite.com/amazon.php?asin=XXXXXXXXXX
或
http://www.somesite.com/ amazon.php?id=some-keyword
这是 amazon.php:
<?php
$id = $_GET['id'];
$asin = $_GET['asin'];
if ($asin != NULL)
{
header("Location:http://www.amazon.com/exec/obidos/ASIN/".$asin."/fantasticaffiliate-20");
exit;
}
else
{
$links = array(
"keyword-one" => "http://www.amazon.com/b/?node=1122334455&tag=fantasticaffiliate-20",
"keyword-two" => "http://www.amazon.com/exec/obidos/ASIN/1352434213/fantasticaffiliate-20"
);
header("Location:".$links[$id]);
exit;
}
?>
一如既往地感谢!
Recently I ran across a blog article about using PHP scripts to redirect affiliate links. It got me thinking whether this script was safe or not. I've heard that using the $_GET variable can lead to a vulnerability.
Any suggestions would be appreciated. Would checking the input for alphanumerics and the hyphen ('-') be enough to guard against this?
For this script, links in would be of the form:
http://www.somesite.com/amazon.php?asin=XXXXXXXXXX
or
http://www.somesite.com/amazon.php?id=some-keyword
Here is amazon.php:
<?php
$id = $_GET['id'];
$asin = $_GET['asin'];
if ($asin != NULL)
{
header("Location:http://www.amazon.com/exec/obidos/ASIN/".$asin."/fantasticaffiliate-20");
exit;
}
else
{
$links = array(
"keyword-one" => "http://www.amazon.com/b/?node=1122334455&tag=fantasticaffiliate-20",
"keyword-two" => "http://www.amazon.com/exec/obidos/ASIN/1352434213/fantasticaffiliate-20"
);
header("Location:".$links[$id]);
exit;
}
?>
Thanks as always!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的,会的。这些字符的任何组合都不足以导致 XSS 问题。
Yes, it would. None of those characters in any combination is enough to cause a XSS problem.