douzhi4830 2012-01-16 14:52
浏览 84
已采纳

PHP安全地转换$ _GET / $ _POST数组

I was checking my script for vulnerabilities and was shocked the way i used to do in the past which is extremely insecure:

foreach ($_GET as $key => $value){
    $$key = $value;
}

or shorter

extract( $_GET );

I altered with firebug some POST/GET variables to match a name i used in my script. they can be overwritten if the name would be guessed correctly.

So i thought i had to do it individually naming like this: $allowed_vars = 

$allowed_vars = array("time","hotfile","netload","megaupload","user","pfda","xyz","sara","amount_needed");
    foreach ($_GET as $key => $value)
        {
             if (in_array($key,$allowed_vars))
                {
                    $$key = $value;
                }
        }

This way saves some time than naming them individually.

What kind of automation have to be used for this?

  • 写回答

4条回答 默认 最新

  • drip5880 2012-01-16 15:05
    关注

    I don't use any automatism of the kind.
    I see no point in assigning request variables to global variables automatically.
    If it's one or two variables, I could deal with them manually.
    If there are more, I'd rather keep them as array members for the convenient handling.

    Yet I am using some sort of whitelisting approach similar to yours. but not to create global variables out of POST data but to add that data into SQL query.

    Like in this simple helper function to produce SET statement:

    function dbSet($fields) {
  $set='';
  foreach ($fields as $field) {
    if (isset($_POST[$field])) {
      $set.="`$field`='".mysql_real_escape_string($_POST[$field])."', ";
    }
  }
  return substr($set, 0, -2); 
}

$id     = intval($_POST['id']);
$fields = explode(" ","name surname lastname address zip fax phone");
$query  = "UPDATE $table SET ".dbSet($fields)." stamp=NOW() WHERE id=$id";
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?