dsgs8208 2011-05-10 13:26
浏览 58
已采纳

SCRIPT_NAME如何在PHP中危险?

I am using line below in my php blog site, how is that danger ? I have register_global off and magic_quotes_gpc() also off and using php 5.2. Can anyone please enlight me, or give alternative to this ? I did try $_SERVER['php_self'] but that didn't work.

<form action="<?php echo $SCRIPT_NAME. "?id=" . $validentry; ?>" method="post">
  • 写回答

3条回答 默认 最新

  • dongshuo2752 2011-05-10 13:39
    关注

    SCRIPT_NAME and PHP_SELF mostly contain the same value. Both contain the webserver-normalized version of REQUEST_URI (that is, relative path parts removed).

    Your actual security issue here is not using htmlspecialchars(). And as said before, just use the correct key case to output PHP_SELF:

    <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8") . $validentry ...
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系
  • ¥15 fastreport table 怎么只让每页的最下面和最顶部有横线
  • ¥15 java 的protected权限 ,问题在注释里
  • ¥15 这个是哪里有问题啊?