duanhao5038 2014-09-29 19:14
浏览 41
已采纳

使用switch确定HTTP方法是否安全?

I recently read a tutorial (http://code.tutsplus.com/tutorials/a-beginners-guide-to-http-and-rest--net-16340) on determining the HTTP headers to change the action of a script. The tutorial gives an example of a PHP script to accomplish this 

$method = $_SERVER['REQUEST_METHOD'];

switch($method) {
  case 'PUT':
    $this->create_contact($name);
  break;

  case 'DELETE':
    $this->delete_contact($name);
  break;

  case 'GET':
    $this->display_contact($name);
  break;

  default:
    header('HTTP/1.1 405 Method Not Allowed');
    header('Allow: GET, PUT, DELETE');
   break;
}

...and mentions

We use a switch statement, which should be avoided in a real application:

Several questions:

  1. Why would you avoid using this function?
  2. Is there a vulnerability in using the switch statement itself, or is it the $_SERVER variable that makes it vulnerable?
  3. An answer in this post (Is $_SERVER['QUERY_STRING'] safe from XSS?) recommends the use of htmlentities to protect $_SERVER values. Is this sufficient?

Thanks very much!

  • 写回答

2条回答 默认 最新

  • drwkqwa82140 2014-09-30 19:41
    关注

    Why would you avoid using this function?

    Many programmers would pick their reasons to avoid using "switch" statements, depending on the context.

    For instance, a project might have many "switch" statements with duplicated code to do something that would be solved with polymorphism.

    The "switch", in this case, is being used to map HTTP methods with callables (except the "default"): you could map http methods to callables that could be replaced in runtime. Python programmers who follow the "pythonic philosophy" use dictionaries to do the same thing that "switch" statements do, but with the ability to change the map in runtime.

    Is there a vulnerability in using the switch statement itself, or is it the $_SERVER variable that makes it vulnerable?

    No, there aren't vulnerabilities in using "switch" by itself.

    You should not thrust the values from $_SERVER because they're input from web clients (usually browsers). A simple "curl" script can send inaccurate or invalid data, such as the IP address, User-agent, the referer, etc. This is useful for web scraping (some websites are implemented to prevent naive scraping).

    Check the "filter_input" function to filter values from global variables with input values ($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV).

    An answer in this post (Is $_SERVER['QUERY_STRING'] safe from XSS?) recommends the use of htmlentities to protect $_SERVER values. Is this sufficient?

    It depends on the context.

    For instance, if you want to use it for javascript code, it would not be enough to protect from XSS. In this case, you'd need to to use a function to escape the strings for javascript ("json_encode" might be helpful in this case).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 求数据集和代码#有偿答复
  • ¥15 关于下拉菜单选项关联的问题
  • ¥20 java-OJ-健康体检
  • ¥15 rs485的上拉下拉,不会对a-b<-200mv有影响吗,就是接受时,对判断逻辑0有影响吗
  • ¥15 使用phpstudy在云服务器上搭建个人网站
  • ¥15 应该如何判断含间隙的曲柄摇杆机构,轴与轴承是否发生了碰撞?
  • ¥15 vue3+express部署到nginx
  • ¥20 搭建pt1000三线制高精度测温电路
  • ¥15 使用Jdk8自带的算法,和Jdk11自带的加密结果会一样吗,不一样的话有什么解决方案,Jdk不能升级的情况
  • ¥15 画两个图 python或R