dsbgltg159136540 2017-10-18 05:58
浏览 59
已采纳

php安全性以防止恶意软件插入

I am writing a program to be run on a server that takes input from clients in the form http://mywebsite.com/program.php?input=42

I'm concerned that having the client be able to give any value in place of the 42 above could be a security risk because they could put code there that might run on my server. I would like to know if checking that this input is only alphanumberic before proceeding to do anything with it is sufficient protection. If not what should I do to be secure, if so, are there any safety concerns regarding the way in which I do this checking (for example, while checking that the input is alphanumberic could the input if it is malicious code some how get run?)

Thanks

  • 写回答

1条回答 默认 最新

  • duanji6997 2017-10-18 06:10
    关注

    It’s all about how you’re interpreting and using that $_GET['input']

    If you do such a code:

    exec($_GET['input']);
    

    or

    if($_GET['input']) == 66) {
         exec("rm -r /");
    }
    

    That’s obvious that people can do something dangerous. But it’s less critical than what you think.

    The problem of php it’s that its type system doesn’t encourage people checking their input before using it.

    An usual example is the SQL injectable code:

    $db->query("SELECT * FROM table WHERE id = '. $_GET['id'].'");
    

    Which is really unsafe.

    In your example, if your input should be an integer you can check if that’s an integer:

    if (!is_integer($_GET['input'])) die("invalid");
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 求解vmware的网络模式问题
  • ¥24 EFS加密后,在同一台电脑解密出错,证书界面找不到对应指纹的证书,未备份证书,求在原电脑解密的方法,可行即采纳
  • ¥15 springboot 3.0 实现Security 6.x版本集成
  • ¥15 PHP-8.1 镜像无法用dockerfile里的CMD命令启动 只能进入容器启动,如何解决?(操作系统-ubuntu)
  • ¥30 请帮我解决一下下面六个代码
  • ¥15 关于资源监视工具的e-care有知道的嘛
  • ¥35 MIMO天线稀疏阵列排布问题
  • ¥60 用visual studio编写程序,利用间接平差求解水准网
  • ¥15 Llama如何调用shell或者Python
  • ¥20 谁能帮我挨个解读这个php语言编的代码什么意思?