doutong4088 2012-03-06 01:27
浏览 51
已采纳

如果我使用预定义URL的数组进行验证,$ _SERVER ['HTTP_REFERER']是危险的吗?

I am doing a login page for my application. When a user wants to go to "myaccount.php" but he's not logged in, he's redirected to login.php.

When login is successful, I want him to be redirected to $_SERVER['HTTP_REFERER'], which will be various pages of my application.

I read on forum that ['HTTP_REFERER'] can be dangerous.

But what if I create an array like ('myaccount.php','mycart.php', etc...) and compare this array to $_SERVER['HTTP_REFERER'], will this protect me against potential malicious use of this feature?

  • 写回答

3条回答 默认 最新

  • doumei1772 2012-03-06 12:33
    关注

    $_SERVER["HTTP_REFERER"] is not dangerous - it's just attacker controlled. It won't hurt you unless you trust it for granting extra permissions to someone (e.g. don't assume that someone who just came from successful-login.php has successfully logged in!)

    Redirecting a user doesn't grant any special permissions to the user, so redirecting an attacker to an attacker-controlled string does not compromise your server's security in any way.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥20 基于MSP430f5529的MPU6050驱动,求出欧拉角
  • ¥20 Java-Oj-桌布的计算
  • ¥15 powerbuilder中的datawindow数据整合到新的DataWindow
  • ¥20 有人知道这种图怎么画吗?
  • ¥15 pyqt6如何引用qrc文件加载里面的的资源
  • ¥15 安卓JNI项目使用lua上的问题
  • ¥20 RL+GNN解决人员排班问题时梯度消失
  • ¥60 要数控稳压电源测试数据
  • ¥15 能帮我写下这个编程吗
  • ¥15 ikuai客户端l2tp协议链接报终止15信号和无法将p.p.p6转换为我的l2tp线路