dongmeba4877 2009-02-05 17:01
浏览 82

动态包含

What would be the safest way to include pages with $_GET without puttingt allowed pages in an array/use switch etc. I have many pages so no thank you.

$content = addslashes($_GET['content']);

if (file_exists(PAGE_PATH."$content.html")) { 
include(PAGE_PATH."$content.html");
}

How safe is that?

Thanks.

  • 写回答

9条回答 默认 最新

  • douou1872 2009-02-05 17:05
    关注

    You should use at least something like that to prevent XSS attacks.

    $content = htmlentities($_GET['page'], ENT_QUOTES, 'UTF-8');

    And addslashes won't protect you from SQL Injections.

    评论

报告相同问题?

悬赏问题

  • ¥50 potsgresql15备份问题
  • ¥15 Mac系统vs code使用phpstudy如何配置debug来调试php
  • ¥15 目前主流的音乐软件,像网易云音乐,QQ音乐他们的前端和后台部分是用的什么技术实现的?求解!
  • ¥60 pb数据库修改与连接
  • ¥15 spss统计中二分类变量和有序变量的相关性分析可以用kendall相关分析吗?
  • ¥15 拟通过pc下指令到安卓系统,如果追求响应速度,尽可能无延迟,是不是用安卓模拟器会优于实体的安卓手机?如果是,可以快多少毫秒?
  • ¥20 神经网络Sequential name=sequential, built=False
  • ¥16 Qphython 用xlrd读取excel报错
  • ¥15 单片机学习顺序问题!!
  • ¥15 ikuai客户端多拨vpn,重启总是有个别重拨不上