dqrm8199 2015-11-05 20:42
浏览 36

如何保护get / post参数?

Lately I see more errors in logs regarding get/post parameters on a nginx/php hosted website. I have some basic checks(sanitization) in place but I think I haven't done enough.

Some of my checks have revealed attempts on an "id" parameter: 

Parameter ID was not a number! Parameter was: function id() {
var s = '';
while (s.length < 32) {
    s  = Math.random().toString(36).replace(/[^A-Za-z]/g, '');
}
return s;
}" while reading response header from upstream, client: ...

So basically I was expecting a number and got a very interesting string. I don't even know what they were trying to achieve with that code, it seems to be javascript and my server is php.

I was thinking of checking even string parameters by a regex.

What kind of checks do you recommend for get/post parameters on a php website?

  • 写回答

1条回答 默认 最新

  • douyin8623 2015-11-05 20:49
    关注

    It really depends on the type of data you're trying to retrieve. In your case with (integer) numbers, I think what you're doing is fine: if they don't input an integer value, then just return an error like you're doing.

    For text, I think sanitization (removing illegal characters), such as with htmlentities() should be enough to prevent hacking attacks.

    But again, it really depends on the level of security and data types you use.

    评论

报告相同问题?

悬赏问题

  • ¥170 如图所示配置eNSP
  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效
  • ¥15 悬赏!微信开发者工具报错,求帮改
  • ¥20 wireshark抓不到vlan
  • ¥20 关于#stm32#的问题:需要指导自动酸碱滴定仪的原理图程序代码及仿真
  • ¥20 设计一款异域新娘的视频相亲软件需要哪些技术支持
  • ¥15 stata安慰剂检验作图但是真实值不出现在图上
  • ¥15 c程序不知道为什么得不到结果
  • ¥15 键盘指令混乱情况下的启动盘系统重装