douling6469 2009-05-22 12:14
浏览 12
已采纳

通过$ _GET注册位置标头的php安全性

I've got this code on my page:

header("Location: $page");

$page is passed to the script as a GET variable, do I need any security? (if so what)

I was going to just use addslashes() but that would stuff up the URL...

  • 写回答

4条回答 默认 最新

  • dongshushi5579 2009-05-22 12:21
    关注

    I could forward your users anywhere I like if I get them to click a link, which is definitely a big security flaw (Please login on www.yoursite.com?page=badsite.com). Now think of a scenario where badsite.com looks exactly like your site, except that it catches your user's credentials.

    You're better off defining a $urls array in your code and passing only the index to an entry in that array, for example:

    $urls = array(
        'pageName1' => '/link/to/page/number/1',
        'pageNumber2' => '/link/to/page/number/2',
        'fancyPageName3' => '/link/to/page/number/3',
    );
    # Now your URL can look like this:
    # www.yoursite.com?page=pageName1
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥30 代码本地运行正常,但是TOMCAT部署时闪退
  • ¥15 关于#python#的问题
  • ¥15 主机可以ping通路由器但是连不上网怎么办
  • ¥15 数据库一张以时间排好序的表中,找出多次相邻的那些行
  • ¥50 关于DynamoRIO处理多线程程序时候的问题
  • ¥15 kubeadm部署k8s出错
  • ¥15 Abaqus打不开cae文件怎么办?
  • ¥20 双系统开机引导中windows系统消失问题?
  • ¥15 小程序准备上线,软件开发公司需要提供哪些资料给甲方
  • ¥15 关于生产日期批次退货退款,库存回退的问题