普通网友 2015-02-18 18:10
浏览 7

通过网址发送的消除错误

Ok quick question. I am sending errors through URL in intergers only

(../index?err=4)

then when it gets there I am filtering that error with

$errorget = filter_input(
    INPUT_GET, 'err', $filter = FILTER_SANITIZE_NUMBER_INT
);

I then use a switch to select appropriate echo.

switch ($errorget) {
    case "4":
        $error = 'Error1';
        break;
    case "61":
        $error = 'Error2';
        break;
    case "33":
        $error = 'Error3';
        break;
    case '51':
        $error = 'Error4';
        break;
    default:
        $error = null;
}
echo $error;

Ok so, is this a safe method and is there a vulnerability with this way to help avoid XSS?

Thank you in advance.

  • 写回答

2条回答 默认 最新

  • doukuanghuan7582 2015-02-18 18:14
    关注

    If you're seriously worried about it being a number, just cast it as such

    $errorget = (int)$_GET['err']; //this is always a number

    Next, this really isn't a candidate for XSS attacks because you're not outputting the data anywhere (i.e. echo $_GET['err']). Providing bad data in this case will simply do... nothing. As in $error = null; Providing a list of what should happen on the other end avoids XSS entirely.

    评论

报告相同问题?

悬赏问题

  • ¥15 R语言Rstudio突然无法启动
  • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值