从超全局中删除数组($_GET、$_POST...)
在 PHP 中,可以在 $_GET、$_POST、$_COOKIE、$_FILES 和 中包含数组>$_REQUEST 根据 PHP 文档 。问题是这些来自用户,我可能会得到它们而不是字符串。例如,考虑以下代码片段。
<?php
if (isset($_GET['hello'])) {
echo 'Hello, ', htmlspecialchars($_GET['hello']), '.';
}
else {
echo '<form action="?"><input name="hello"><input type="submit"></form>';
}
看起来还好吗?好吧,只要你不使用 URL,它就会正常工作。问题是黑客可以尝试将 $_GET['hello'] 制作为数组。如果 URL 字符串看起来像 ?hello[]=something PHP 将返回错误消息
警告:htmlspecialchars() 期望参数 1 为字符串,第 3 行 FILE 中给出的数组
OK,谁会在生产站点中启用 HTML 错误(另一件事是错误日志...)。但整数也是一个问题 - PHP 是动态类型语言,因此它可以轻松接受像 '2' + 2 这样的代码。虽然是的,但您可以使用 (int) 我有一些旧代码无法执行此操作。如果字符串来自 $_GET 或 $_POST,它也可能是数组。像 array('2') + 2 这样的东西会导致 PHP 的致命错误。
致命错误:第 3 行 FILE 中不支持的操作数类型
现在这是不可接受的,因为它会停止脚本。我不需要这些变量中的数组,但它们让我烦恼。是否有任何简单的片段可以从这些特殊变量中删除数组。如果我真的想要一个数组,我可以在运行代码片段之前复制它。
In PHP it's possible to have arrays in $_GET, $_POST, $_COOKIE, $_FILES and $_REQUEST according to PHP documentation. The problem is that those come from user and I might get them instead of strings. For example, consider following snippet.
<?php
if (isset($_GET['hello'])) {
echo 'Hello, ', htmlspecialchars($_GET['hello']), '.';
}
else {
echo '<form action="?"><input name="hello"><input type="submit"></form>';
}
Looks OK? Well, as long you will not work will the URL it will work correctly. The problem is that hacker can try making $_GET['hello'] an array. If URL string looks like ?hello[]=something PHP will return error message
Warning: htmlspecialchars() expects parameter 1 to be string, array given in FILE on line 3
OK, who would enable in HTML errors in the production site (the other thing is error log...). But integers also are a problem - PHP is dynamically typed language, so it would accept easily code like '2' + 2. While yes, you can use (int) I have some old code which doesn't do that. If string comes from $_GET or $_POST it could be also array. Something like array('2') + 2 would cause fatal error of PHP.
Fatal error: Unsupported operand types in FILE on line 3
Now it's something that isn't acceptable because it would stop the script. I don't need arrays in those variables, but they annoy me. Is there any simple snippet which would remove arrays from those special variables. If I really would want an array, I could make copy of it before running the snippet.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您可以使用 is_array() 来检查这样的事情。
或者只是再次显示表单
至于有人输入诸如
array('2') + 2之类的内容,您无需太担心。它已经是一个字符串,因此它不会作为 php 脚本运行。但是,根据您的范围,以最适合您的格式对信息进行编码始终是一个好主意。在您的示例中,有人可以将 HTML 代码注入到您的 get 变量中,导致网站看起来不同。像
strip_tags或htmlentities这样的简单函数不会有什么坏处。You could use
is_array()to check for such a thing.or just display the form again
As for someone inputting something like
array('2') + 2you don't need to worry much. It's already a string, therefor it won't be run as php script. However, depending on your scope is always a good idea to encode the information in a format best for you.In you example, someone could inject HTML code into your get variable, causing the site to look different. Simple functions like
strip_tagsorhtmlentitieswouldn't hurt.在字符串上下文中使用它之前,我会检查它是否是字符串。
或者:
如果你想删除所有数组:
哎呀,看起来 Sudhir 已经打败了我,但已经输入了......:)
I would check if it was a string before using it in a string context.
Or:
If you wanted to remove all arrays though:
Oops look like Sudhir already beat me to that part, but already had it typed... :)
那么你能做这样的事情吗:
希望它在某种意义上有帮助。
Can you then do something like this:
Hope it helps in some sense.