dpp78272 2011-09-05 07:54
浏览 50

PHP阻止通过查询字符串传递的变量,但允许通过apache mod_rewrite传递相同的变量

I'm using .htaccess mod_rewrite to convert a nice URL, and using a php variable page to send the url portion to index.php where rest of the processing is done.

RewriteRule ^([a-zA-Z0-9-_/]+)$ index.php?page=$1 [QSA,L]

Now, if some malicious user passes the page variable via query string, it gets accepted. For example, if the user calls http://mysite.com/login?page=registration instead of loading the login page, user specified registration page gets loaded.

Any idea how to fix it within the htaccess file?

  • 写回答

2条回答 默认 最新

  • duanhui4160 2011-09-05 07:59
    关注

    I've looked for answers for the same thing myself and I'm pretty sure there is no solution to it. The only solution I've come up with is to replace page with some arbitrary "key" instead, like 98198bs129387b13. Thus, they would have to know the key. But make no mistake, this is security through obscurity... and having proper checks in index.php is still necessary (and it is regardless).

    评论

报告相同问题?

悬赏问题

  • ¥20 java在应用程序里获取不到扬声器设备
  • ¥15 echarts动画效果的问题,请帮我添加一个动画。不要机器人回答。
  • ¥60 许可证msc licensing软件报错显示已有相同版本软件,但是下一步显示无法读取日志目录。
  • ¥15 Attention is all you need 的代码运行
  • ¥15 一个服务器已经有一个系统了如果用usb再装一个系统,原来的系统会被覆盖掉吗
  • ¥15 使用esm_msa1_t12_100M_UR50S蛋白质语言模型进行零样本预测时,终端显示出了sequence handled的进度条,但是并不出结果就自动终止回到命令提示行了是怎么回事:
  • ¥15 前置放大电路与功率放大电路相连放大倍数出现问题
  • ¥30 关于<main>标签页面跳转的问题
  • ¥80 部署运行web自动化项目
  • ¥15 腾讯云如何建立同一个项目中物模型之间的联系