PHP安全地转换$ _GET / $ _POST数组

I was checking my script for vulnerabilities and was shocked the way i used to do in the past which is extremely insecure:

foreach ($_GET as $key => $value){
    $$key = $value;
}

or shorter

extract( $_GET );

I altered with firebug some POST/GET variables to match a name i used in my script. they can be overwritten if the name would be guessed correctly.

So i thought i had to do it individually naming like this: $allowed_vars =

$allowed_vars = array("time","hotfile","netload","megaupload","user","pfda","xyz","sara","amount_needed");
    foreach ($_GET as $key => $value)
        {
             if (in_array($key,$allowed_vars))
                {
                    $$key = $value;
                }
        }

This way saves some time than naming them individually.

What kind of automation have to be used for this?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

4条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
drip5880 2012-01-16 15:05
关注
I don't use any automatism of the kind.
I see no point in assigning request variables to global variables automatically.
If it's one or two variables, I could deal with them manually.
If there are more, I'd rather keep them as array members for the convenient handling.

Yet I am using some sort of whitelisting approach similar to yours. but not to create global variables out of POST data but to add that data into SQL query.

Like in this simple helper function to produce SET statement:

function dbSet($fields) { $set=''; foreach ($fields as $field) { if (isset($_POST[$field])) { $set.="`$field`='".mysql_real_escape_string($_POST[$field])."', "; } } return substr($set, 0, -2); } $id = intval($_POST['id']); $fields = explode(" ","name surname lastname address zip fax phone"); $query = "UPDATE $table SET ".dbSet($fields)." stamp=NOW() WHERE id=$id";
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(3条)

报告相同问题？

关注问题

PHP安全地转换$ _GET / $ _POST数组 php
2012-01-16 14:52

回答 4 已采纳 I don't use any automatism of the kind. I see no point in assigning request variables to global va
如何将数组键转换为$ _POST [name] php
2014-01-27 12:57

回答 4 已采纳 I think this is very easier : $foo = array('name', 0, 'firstname') $res = $_POST; foreach ($foo a
将$ _POST文本输入转换为多维数组 php
2013-12-11 16:49

回答 1 已采纳 Brackets [] will make an array, so try this and print_r($_POST) and see: foreach ($productid as $
php$_GET的作用,PHP里的$_GET数组介绍
2021-04-03 08:03

纤雀的博客在开发过程中，GET和POST无处不在。$_GET 变量是一个数组，内容是由 HTTP GET 方法发送的变量名称和值。$_GET 变量用于收集来自 method="get" 的表单中的值。从带有 GET 方法的表单发送的信息，对任何人都是可见的...
将数组值转换为字符串可写入从$ _GET函数传入的文本文件 php
2015-02-05 00:19

回答 3 已采纳 Actually I realized that only using the json_encode function solved my problem and started to turn
PHP将多维数组转换为查询字符串以进行curl POST php
2017-04-07 02:18

回答 1 已采纳 You can use http_build_query() to create a string that you can pass to cURL: <?php $posted = [
将PHP数组转换为C＃ c# php
2019-03-12 19:15

回答 1 已采纳 Hi trev52 and welcome to Stackoverflow! As you said, you have an associative array¹ inside the va
php$_GET的作用,PHP $_GET
2021-04-03 08:03

weixin_39878855的博客 PHP $_GET$_GET 变量的数据结构同 $_POST 类似，也是一个关联数组，键名为表单元素的 name，用于收集以 HTTP GET 方式请求的数据。表单 form.html：称呼: 将前面的例子表单改为 GET 方式，输入称呼后，在浏览器地址...
字符丢失将_GET数组转换为URL字符串 php
2013-06-21 15:02

回答 3 已采纳 So, even though both cases output to web a web browser and both convert from an array using http_b
将HTML转换为PHP数组 php
2019-06-16 10:49

回答 2 已采纳 Here is the code that should get you where you want to be. I have added comments where I felt they
错误：PHP中的数组到字符串转换 php
2018-05-26 05:30

回答 1 已采纳 When using mysqli you need to free up the results per each query. Since you made a query with the
用get获取php里的数组吗,谈谈PHP里的$_GET数组_PHP教程
2021-04-20 15:08

半生听风吟的博客在开发过程中，GET和POST像灵魂一样，无处不在。$_GET 变量是一个数组，内容是由 HTTP GET 方法发送的变量名称和值。$_GET 变量用于收集来自 method=”get” 的表单中的值。从带有 GET 方法的表单发送的信息，对任何...
使用PHP将数组转换/查询为JSON json php
2014-07-15 20:32

回答 2 已采纳 For json_encode() to produce a json string that includes the associative indices, they need to be
php中$_POST与php://input的区别实例分析
2020-12-19 17:33

$_POST 以关联数组方式组织提交的数据，并对此进行编码处理，如urldecode，甚至编码转换 php://input 也可以实现此这个功能可以获得POST的原始数据。代码复制代码代码如下:echo file_get_contents( ...
php把get参数放入数组_PHP里的$_GET数组介绍
2020-12-29 10:24

weixin_39875805的博客在开发过程中，GET和POST无处不在。$_GET 变量是一个数组，内容是由 HTTP GET 方法发送的变量名称和值。$_GET 变量用于收集来自 method="get" 的表单中的值。从带有 GET 方法的表单发送的信息，对任何人都是可见的...
没有解决我的问题, 去提问

悬赏问题

¥15 虚幻5 UE美术毛发渲染
¥15 CVRP 图论物流运输优化
¥15 Tableau online 嵌入ppt失败
¥100 支付宝网页转账系统不识别账号
¥15 基于单片机的靶位控制系统
¥15 真我手机蓝牙传输进度消息被关闭了，怎么打开？(关键词-消息通知)
¥15 装 pytorch 的时候出了好多问题，遇到这种情况怎么处理？
¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
¥15 手机接入宽带网线，如何释放宽带全部速度
¥30 关于#r语言#的问题：如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测

PHP安全地转换$ _GET / $ _POST数组

4条回答 默认 最新

悬赏问题

4条回答默认最新