dsbgltg159136540 2017-10-18 05:58
浏览 59
已采纳

php安全性以防止恶意软件插入

I am writing a program to be run on a server that takes input from clients in the form http://mywebsite.com/program.php?input=42

I'm concerned that having the client be able to give any value in place of the 42 above could be a security risk because they could put code there that might run on my server. I would like to know if checking that this input is only alphanumberic before proceeding to do anything with it is sufficient protection. If not what should I do to be secure, if so, are there any safety concerns regarding the way in which I do this checking (for example, while checking that the input is alphanumberic could the input if it is malicious code some how get run?)

Thanks

  • 写回答

1条回答 默认 最新

  • duanji6997 2017-10-18 06:10
    关注

    It’s all about how you’re interpreting and using that $_GET['input']

    If you do such a code:

    exec($_GET['input']);

    or

    if($_GET['input']) == 66) {
     exec("rm -r /");
}

    That’s obvious that people can do something dangerous. But it’s less critical than what you think.

    The problem of php it’s that its type system doesn’t encourage people checking their input before using it.

    An usual example is the SQL injectable code:

    $db->query("SELECT * FROM table WHERE id = '. $_GET['id'].'");

    Which is really unsafe.

    In your example, if your input should be an integer you can check if that’s an integer:

    if (!is_integer($_GET['input'])) die("invalid");
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 易语言把MYSQL数据库中的数据添加至组合框
  • ¥20 求数据集和代码#有偿答复
  • ¥15 关于下拉菜单选项关联的问题
  • ¥20 java-OJ-健康体检
  • ¥15 rs485的上拉下拉,不会对a-b<-200mv有影响吗,就是接受时,对判断逻辑0有影响吗
  • ¥15 使用phpstudy在云服务器上搭建个人网站
  • ¥15 应该如何判断含间隙的曲柄摇杆机构,轴与轴承是否发生了碰撞?
  • ¥15 vue3+express部署到nginx
  • ¥20 搭建pt1000三线制高精度测温电路
  • ¥15 使用Jdk8自带的算法,和Jdk11自带的加密结果会一样吗,不一样的话有什么解决方案,Jdk不能升级的情况