当前位置: 文江博客话题详情

使用 PHP 处理复选框

发布于 2024-10-20 02:25:34 字数 790 浏览 2 评论 0原文

我的老板设置了一个脚本来通过 PHP 处理表单并通过电子邮件发送结果。我们需要使用这个处理器。处理器的问题是这行代码:

foreach ($_POST as $k => $v){$$k = strip_tags($v);}

如果发送的所有值都只是字符串,那就没问题,但我正在尝试处理一些作为数组传递的复选框。据我了解, strip_tags 函数仅适用于字符串。它会处理所有内容并按应有的方式通过电子邮件发送结果,但每次尝试处理一系列复选框时都会发出通知。 注意:数组到字符串的转换... 这个过程仍然有效,我只是到处都收到丑陋的通知。为了暂时解决问题,我删除了 strip_tags 函数,结果是:

foreach ($_POST as $k => $v){$$k = $v;}

现在一切正常,我没有收到任何警告、错误或通知。然而,在向我的老板指出这一点后,他希望我恢复到原始代码,然后为每个复选框提供自己唯一的名称,而不是为它们提供具有不同值的相同名称。我可以这样做,但我知道这不是处理一系列复选框的正确方法。另外,它还会造成各种头痛。我的老板根本不明白如何使用数组,所以每次遇到数组时他都会想出这样愚蠢的解决方法。他还声称这是某种垃圾邮件防护措施,旨在阻止人们将收件人添加到我们的表单中。我可能不是 PHP 专家,但我很确定这个说法是错误的。

那么我能做些什么来解决这个问题呢?我知道我应该首先将复选框数组转换为字符串,然后对生成的字符串使用 strip_tags 函数,但我对 PHP 还很陌生,并且不完全理解该行代码首先在做什么。有人可以帮助至少指出我正确的方向吗?

原文

My boss set up a script to process forms through PHP and email the results. We are required to use this processor. The problem with the processor is this line of code:

foreach ($_POST as $k => $v){$k = strip_tags($v);}

This would be fine if all values sent were just strings, but I am trying to process some checkboxes which are passed as arrays. From what I understand, the strip_tags function only works with strings. It processes everything and sends the results via email as it should, but it throws a notice every time it tries to process a series of checkboxes.
Notice: array to string conversion...
The process still works, I just get ugly notices all over the place. In order to temporarily fix the problem, I removed the strip_tags function, resulting in this:

foreach ($_POST as $k => $v){$k = $v;}

Everything now functions properly and I get no warnings, errors or notices. However, after pointing this out to my boss he wants me to revert back to the original code and then give each checkbox its own unique name, instead of giving them all the same name with different values. I could do that, but I know that is not the proper way to process a series of checkboxes. Plus it creates all sorts of headaches. My boss simply does not understand how to work with arrays, so he comes up with stupid work-arounds like this every time he encounters one. He also claims that this is some sort of spam protection to stop people from adding recipients to our forms. I may not be an expert in PHP, but I'm pretty sure that statement is false.

So what can I do to fix this issue? I know I should be converting the checkbox arrays to strings first, then use the strip_tags function on the resulting strings, but I am still fairly new to PHP and don't entirely understand what that line of code is doing to begin with. Can anybody help at least point me in the right direction?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

维持三分热 2024-10-27 02:25:34

向你的老板指出:

<input type="checkbox" name="valid_recipient[]" value="1" /> [email protected]
<input type="checkbox" name="valid_recipient[]" value="x" /> [email protected]


<input type="checkbox" name="valid_recipient1" value="1" /> [email protected]
<input type="checkbox" name="valid_recipient2" value="x" /> [email protected]

是同一件事,无论它们是作为复选框值数组还是单独的复选框/值对传递。不管怎样,讨厌先生只是在你的复选框列表中注入了一些东西。

此外,恶意用户还可以从

<input type="hidden" name="_POST" value="haha I wiped your post array!" />

表单中设置什么内容。你的 PHB 方便的花花公子“让我们完全安全”处理器刚刚愉快地摧毁了 $_POST 数组,同时“完全安全”

Point out to your boss that:

<input type="checkbox" name="valid_recipient[]" value="1" /> [email protected]
<input type="checkbox" name="valid_recipient[]" value="x" /> [email protected]

and

<input type="checkbox" name="valid_recipient1" value="1" /> [email protected]
<input type="checkbox" name="valid_recipient2" value="x" /> [email protected]

are the same thing, whether they get passed as an array of checkbox values, or individual checkbox/value pairs. Either way, Mr. Nasty just injected something into your checkbox list.

As well, what's a malicious user from setting

<input type="hidden" name="_POST" value="haha I wiped your post array!" />

into the form. Your PHB's handy dandy "makes us completely secure" processor has just happily nuked the $_POST array, all while being "completely secure"

回复 原文
递刀给你 2024-10-27 02:25:34

将复选框作为数组传递是 kush:

<input type="checkbox" name="myarray[key1]" value="hello world" />
<input type="checkbox" name="myarray[key2]" value="well hello again" />

将创建一个结果 $_POST,如下所示:

Array
(
    [myarray] => Array
        (
            [key1] => hello world
            [key2] => well hello again
        )

)

虽然这很棒,但这也意味着您的老板代码双重不安全:

首先,其中没有 strip_tags 会让您容易受到XSS 攻击。

其次,天真地信任 $_POST 变量名称并将它们导出到全局命名空间中会导致灾难。 (这就是为什么 register_globals 成为过去的原因)。

例如,假设您使用简单的 $_SESSION 变量跟踪登录者的用户名。像这样的东西:

if ($_SESSION['logged_in_user'] == 'admin') {
   // do administrator things
}

好吧,通过接受和导出 $_POST 变量,攻击者可以像这样修改 HTML 表单元素:

<input type="checkbox" name="myarray[key1]" value="hello world" />

并将其扭曲成这样的东西(使用 Firebug 或 Chrome):

<input type="checkbox" name="_SESSION[logged_in_user]" value="admin" />

啊!任何匿名用户都可以获得该网站的管理员访问权限。

这是一个供您考虑的简单脚本:

<pre>
<?php 
session_start();
$_SESSION['logged_in_user'] = 'pygorex1';
print_r($_SESSION);
foreach ($_POST as $k => $v) {
    $k = $v;
}
?>
</pre>
<form method="post">
<input type="checkbox" name="myarray[key1]" value="hello world" />
<input type="checkbox" name="_SESSION[logged_in_user]" value="admin" />
<input type="submit" value="go go gadget" />
</form>
<pre>
<?php 
print_r($_SESSION);
print_r($myarray);
session_write_close();

if ($_SESSION['logged_in_user'] == 'admin') {
    echo("OWNED\n");
}

?>
</pre>

Passing checkboxes as an array is kush:

<input type="checkbox" name="myarray[key1]" value="hello world" />
<input type="checkbox" name="myarray[key2]" value="well hello again" />

Will create a resultant $_POST like:

Array
(
    [myarray] => Array
        (
            [key1] => hello world
            [key2] => well hello again
        )

)

While this is awesome it also means that your bosses code is doubly insecure:

First, not having the strip_tags in there makes you vulnerable to XSS attacks.

Second, naively trusting $_POST variable names and exporting them into the global namespace is a recipe for disaster. (There's a reason why register_globals is a thing of the past).

For instance, let's say you track the username of who is logged in using a simple $_SESSION variable. Something like this:

if ($_SESSION['logged_in_user'] == 'admin') {
   // do administrator things
}

Well, by accepting and exporting $_POST variables and attacker could modify an HTML form element like this:

<input type="checkbox" name="myarray[key1]" value="hello world" />

And twiddle it into something like this (using Firebug or Chrome):

<input type="checkbox" name="_SESSION[logged_in_user]" value="admin" />

Tad-ah! Any anonymous user can gain administrator access to the web site.

Here is a simple script for your consideration:

<pre>
<?php 
session_start();
$_SESSION['logged_in_user'] = 'pygorex1';
print_r($_SESSION);
foreach ($_POST as $k => $v) {
    $k = $v;
}
?>
</pre>
<form method="post">
<input type="checkbox" name="myarray[key1]" value="hello world" />
<input type="checkbox" name="_SESSION[logged_in_user]" value="admin" />
<input type="submit" value="go go gadget" />
</form>
<pre>
<?php 
print_r($_SESSION);
print_r($myarray);
session_write_close();

if ($_SESSION['logged_in_user'] == 'admin') {
    echo("OWNED\n");
}

?>
</pre>
回复 原文
~没有更多了~

关于作者

只是在用心讲痛

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文