doulao7572 2013-09-03 14:53 采纳率: 0%
浏览 22
已采纳

获取参数值时的PHP安全性

I dont know much about PHP so forgive my ignorance. I am trying to have a parameter value entered in the Joomla admin area to append a string to my bootstrap container class to change the page from a fixed to a fluid layout.

I am retrieving the value like this...

$conType = $this->params->get('conType','');

and then simply setting it as follows...

class="container<?php echo "$conType"; ?>

However, I was worried (knowing very little about PHP) if this was a security problem since any value could be set as $conType - is that a problem? If so, would this work instead...?

$conType = (int) $this->params->get('conType','0');

if($conType == "1")
{
 $conType = "-fluid";
}
else
{
 $conType = ' ';
}

And then just echo it again. Is that necessary? is there a better way?

  • 写回答

1条回答 默认 最新

  • dozrhldy285751 2013-09-03 14:58
    关注

    Yes, this would work and is secure.

    If $conType can be any parameter, it is important to escape it against XSS by using htmlentities():

    echo htmlentities($conType)

    The way you did it is even better, although it costs more effort. ;-)

    Just remember to use htmlentities in future if you need escaping of many parameters and not just one small customization. And as an advise, please inform yourself about php and security before continuing to develop php applications (if you are planning to). As a web developer (especially as php developer), you really should know about topics like "XSS", "SQL Injection" and "CSRF". :-)

    [As an alternative to htmlentities, there is htmlspecialchars, which encodes less characters, see htmlentities() vs. htmlspecialchars() for a comparison]

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 正弦信号发生器串并联电路电阻无法保持同步怎么办
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 个人网站被恶意大量访问,怎么办
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM
  • ¥15 划分vlan后不通了
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)