安全可靠地将文件路径转换为URL

我正在使用php,我有以下代码将绝对路径转换为网址。</ p>

  function make_url($ path,$ secure = false){
return(!$ secure?'http://':'https://').str_replace($ _SERVER [ 'DOCUMENT_ROOT'],$ _SERVER ['HTTP_HOST'],$ path);
}
</ code> </ pre>

我的问题基本上是,有没有更好的方法来做到这一点 在位置和服务器之间可移植的安全性/可靠性方面?</ p>
</ div>

展开原文

原文

I'm using php and I have the following code to convert an absolute path to a url.

function make_url($path, $secure = false){
    return (!$secure ? 'http://' : 'https://').str_replace($_SERVER['DOCUMENT_ROOT'], $_SERVER['HTTP_HOST'], $path);
}

My question is basically, is there a better way to do this in terms of security / reliability that is portable between locations and servers?

3个回答



HTTP_HOST变量不是可靠或安全的值,因为它也是由客户端发送的。 因此,请务必在使用之前验证其值。</ p>
</ div>

展开原文

原文

The HTTP_HOST variable is not a reliable or secure value as it is also being sent by the client. So be sure to validate its value before using it.



我不认为安全性会受到影响,因为这是一个网址,被打印到浏览器...... 可能发生的最糟糕的情况是将完整的目录路径暴露给文件,并可能创建一个断开的链接。</ p>

作为一个侧面说明,如果这是在HTML文档中打印,我猜 你传递输出虽然像htmlentities ...只是在输入$ path包含像[脚本]标签(XSS)的东西。</ p>

为了使这更可靠 虽然,我不建议匹配'DOCUMENT_ROOT',因为有时它没有设置,或者不匹配(例如,当Apache重写规则开始妨碍时)。</ p>

如果 我要重新编写它,我只是确保始终打印'HTTP_HOST'... </ p>

  function make_url($ path,$ secure = false){
return(!$ secure?'http://':'https://')。$ _ SERVER ['HTTP_HOST'] .str_replace($ _SERVER ['DOCUMENT_ROOT'],'',$ path);
} \ ñ</代码> </ PR e>

...如果可能的话,更新调用代码以便它只是通过路径,所以我甚至不需要考虑删除'DOCUMENT_ROOT'(即 如果路径与'DOCUMENT_ROOT'不匹配会发生什么... ... </ p>

  function make_url($ path,$ secure = false){
return(!$ secure? 'http://':'https://')。$ _ SERVER ['HTTP_HOST']。$ path;
}
</ code> </ pre>

哪一个离开 问题...为什么有这个功能?</ p>

在我的网站上,我只是在脚本执行开始时定义了一个变量:</ p>

   $ GLOBALS ['webDomain'] ='http://'。  (isset($ _ SERVER ['HTTP_HOST'])?$ _SERVER ['HTTP_HOST']:''); 
$ GLOBALS ['webDomainSSL'] = $ GLOBALS ['webDomain'];
</ code> </ pre>

我在哪里使用GLOBALS所以它可以在任何地方访问(例如在函数中)...但是如果你知道这个值不会改变你也可能想要考虑一个常量(define) (我有时会在站点范围的配置文件中更改这些值,例如,如果我有网站的HTTPS / SSL证书)。</ p>
</ div>

展开原文

原文

I don't think security is going to be effected, simply because this is a url, being printed to a browser... the worst that can happen is exposing the full directory path to the file, and potentially creating a broken link.

As a little side note, if this is being printed in a HTML document, I presume you are passing the output though something like htmlentities... just in-case the input $path contains something like a [script] tag (XSS).

To make this a little more reliable though, I wouldn't recommend matching on 'DOCUMENT_ROOT', as sometimes its either not set, or won't match (e.g. when Apache rewrite rules start getting in the way).

If I was to re-write it, I would simply ensure that 'HTTP_HOST' is always printed...

function make_url($path, $secure = false){
    return (!$secure ? 'http://' : 'https://').$_SERVER['HTTP_HOST'].str_replace($_SERVER['DOCUMENT_ROOT'], '', $path);
}

... and if possible, update the calling code so that it just passes the path, so I don't need to even consider removing the 'DOCUMENT_ROOT' (i.e. what happens if the path does not match the 'DOCUMENT_ROOT')...

function make_url($path, $secure = false){
    return (!$secure ? 'http://' : 'https://').$_SERVER['HTTP_HOST'].$path;
}

Which does leave the question... why have this function?

On my websites, I simply have a variable defined at the beggining of script execution which sets:

$GLOBALS['webDomain'] = 'http://' . (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : '');
$GLOBALS['webDomainSSL'] = $GLOBALS['webDomain'];

Where I use GLOBALS so it can be accessed anywhere (e.g. in functions)... but you may also want to consider making a constant (define), if you know this value won't change (I sometimes change these values later in a site wide configuration file, for example, if I have an HTTPS/SSL certificate for the website).



我认为这是错误的方法。</ p>

HTML支持相对位置的URL。 也就是说,您可以执行&lt; A href =“filename.php”&gt; link&lt; / a&gt; </ code>来引用其URL中与相关页面具有相同路径的页面。 您还可以执行&lt; a href =“/ dir / filename.php”&gt; link&lt; / a&gt; </ code>,以提供同一网站的完整路径。 这两个技巧意味着您的网站代码并不真正需要知道提供工作URL的位置。</ p>

也就是说,您可能需要一些技巧,因此您可以在 http://www.example.com/dev/site.php </ code>和另一个 http://www.example.com/testing/site.php </ code>。 您需要一些代码来确定正在使用哪个目录前缀,但您可以使用配置值来执行此操作。 我指的是属于该(子)站点配置的值,而不是版本控制的代码!</ p>
</ div>

展开原文

原文

I think this is the wrong approach.

URLs in a HTML support relative locations. That is, you can do <A href="filename.php">link</a> to refer to a page that has the same path in its URL as the corrent page. You can also do <a href="/dir/filename.php">link</a> to provide a full path to the same website. These two tricks mean your website code doesn't really need to know where it is to provide working URLs.

That said, you might need some tricks so you can have one website on http://www.example.com/dev/site.php and another on http://www.example.com/testing/site.php. You'll need some code to figure out which directory prefix is being used, but you can use a configuration value to do that. By which I mean a value that belongs to that (sub-)site's configuration, not the version-controlled code!

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问