douzhi4830 2012-01-16 14:52
浏览 84
已采纳

PHP安全地转换$ _GET / $ _POST数组

I was checking my script for vulnerabilities and was shocked the way i used to do in the past which is extremely insecure:

foreach ($_GET as $key => $value){
    $$key = $value;
}

or shorter

extract( $_GET );

I altered with firebug some POST/GET variables to match a name i used in my script. they can be overwritten if the name would be guessed correctly.

So i thought i had to do it individually naming like this: $allowed_vars =

$allowed_vars = array("time","hotfile","netload","megaupload","user","pfda","xyz","sara","amount_needed");
    foreach ($_GET as $key => $value)
        {
             if (in_array($key,$allowed_vars))
                {
                    $$key = $value;
                }
        }

This way saves some time than naming them individually.

What kind of automation have to be used for this?

  • 写回答

4条回答 默认 最新

  • drip5880 2012-01-16 15:05
    关注

    I don't use any automatism of the kind.
    I see no point in assigning request variables to global variables automatically.
    If it's one or two variables, I could deal with them manually.
    If there are more, I'd rather keep them as array members for the convenient handling.

    Yet I am using some sort of whitelisting approach similar to yours. but not to create global variables out of POST data but to add that data into SQL query.

    Like in this simple helper function to produce SET statement:

    function dbSet($fields) {
      $set='';
      foreach ($fields as $field) {
        if (isset($_POST[$field])) {
          $set.="`$field`='".mysql_real_escape_string($_POST[$field])."', ";
        }
      }
      return substr($set, 0, -2); 
    }
    
    $id     = intval($_POST['id']);
    $fields = explode(" ","name surname lastname address zip fax phone");
    $query  = "UPDATE $table SET ".dbSet($fields)." stamp=NOW() WHERE id=$id";
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥15 preLaunchTask"C/C++: aarch64- apple-darwin22-g++-14 生成活动 文件”已终止,退出代码为-1。
  • ¥18 关于#贝叶斯概率#的问题:这篇文章中利用em算法求出了对数似然值作为概率表参数,然后进行概率表计算,这个概率表是怎样计算的呀
  • ¥20 C#上传XML格式数据
  • ¥15 elementui上传结合oss接口断点续传,现在只差停止上传和继续上传,各大精英看下
  • ¥100 单片机hardfaulr
  • ¥20 手机截图相片分辨率降低一半
  • ¥50 求一段sql语句,遇到小难题了,可以50米解决
  • ¥15 速求,对多种商品的购买力优化问题(用遗传算法、枚举法、粒子群算法、模拟退火算法等方法求解)
  • ¥100 速求!商品购买力最优化问题(用遗传算法求解,给出python代码)
  • ¥15 虚拟机检测,可以是封装好的DLL,可付费