dsgs8208 2011-05-10 13:26
浏览 58
已采纳

SCRIPT_NAME如何在PHP中危险?

I am using line below in my php blog site, how is that danger ? I have register_global off and magic_quotes_gpc() also off and using php 5.2. Can anyone please enlight me, or give alternative to this ? I did try $_SERVER['php_self'] but that didn't work.

<form action="<?php echo $SCRIPT_NAME. "?id=" . $validentry; ?>" method="post">
  • 写回答

3条回答 默认 最新

  • dongshuo2752 2011-05-10 13:39
    关注

    SCRIPT_NAME and PHP_SELF mostly contain the same value. Both contain the webserver-normalized version of REQUEST_URI (that is, relative path parts removed).

    Your actual security issue here is not using htmlspecialchars(). And as said before, just use the correct key case to output PHP_SELF:

    <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8") . $validentry ...
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?