堆栈内存溢出
  简体   繁体   English

$ _SERVER [REQUEST_METHOD]可以操纵吗?

[英]Is $_SERVER[REQUEST_METHOD] manipulable?

 原文  2008-12-07 01:31:16       php/ security

问题描述

In a PHP project I'm developing I have a couple of requests that can be either POST or GET. 在我正在开发的PHP项目中,我有几个请求可以是POST或GET。 Currently, I'm using the $_SERVER[REQUEST_METHOD] value to determine, which request array to use. 目前,我正在使用$ _SERVER [REQUEST_METHOD]值来确定要使用的请求数组。 I know that $_REQUEST values can be manipulated with cookies, is the $_SERVER superglobal vulnerable to attacks? 我知道$ _REQUEST值可以用cookie操纵,$ _SERVER超级全球是否容易受到攻击?

4 个解决方案

解决方案1
 7  2008-12-07 01:44:12

The $_SERVER superglobal is filled by PHP with data it gets from the web server. $ _SERVER超全局由PHP填充,它从Web服务器获取数据。

So unless the attacker replaces the web server with his own, or manages an extremely lucky buffer overflow against the server, you are fine. 因此,除非攻击者用自己的服务器替换Web服务器,或者管理一个非常幸运的缓冲区溢出服务器,否则你没事。

解决方案2
 0  

REQUEST_METHOD不仅限于POST和GET - 您还需要处理HEAD(IIRC PHP会在看到该标题时在输出的第一个符号处终止脚本)和(在不太可能的设置上)您可能会获得一些WebDAV。

解决方案3
 0  2008-12-07 02:23:56

In what sense can $_REQUEST be "manipulated" with cookies? 在什么意义上,$ _REQUEST可以被cookie“操纵”? Cookies do override values coming from POST and GET, but all three values are directly controlled by the client making the request. Cookie会覆盖来自POST和GET的 ,但所有三个值都由发出请求的客户端直接控制。

If you want GET and POST to have priority over cookies, you can set the variable request_order in your php.ini: 如果您希望GET和POST优先于cookie,您可以在php.ini中设置变量request_order:

request_order = CGP request_order = CGP

(which gives post' priority over get' over cookies). (它post' priority over '获取' post' priority over于cookie)。 You can even leave out C altogether. 你甚至可以完全忽略C.

解决方案4
 0  2010-12-11 08:33:02

Old thread but since the most voted answer is wrong and security is an important concern, here we go : Not only REQUEST_METHOD but also other values in $_SERVER can be tainted. 旧线程,但由于投票最多的答案是错误的,安全性是一个重要的问题,我们在这里:不仅REQUEST_METHOD而且$ _SERVER中的其他值也可能被污染。

See for example http://www.php.net/manual/en/reserved.variables.server.php#95672 and http://shiflett.org/blog/2006/mar/server-name-versus-http-host 参见例如http://www.php.net/manual/en/reserved.variables.server.php#95672http://shiflett.org/blog/2006/mar/server-name-versus-http-host

So don't trust them blindly. 所以不要盲目相信他们。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 $_SERVER['REQUEST_METHOD'] 在服务器上不起作用 - $_SERVER['REQUEST_METHOD'] does not work on server $ _SERVER ['REQUEST_METHOD']以及同时POST和GET - $_SERVER['REQUEST_METHOD'] and simultaneous POST and GET 为什么$ _SERVER ['REQUEST_METHOD']总是GET? - Why is $_SERVER['REQUEST_METHOD'] always GET? $ _SERVER ['REQUEST_METHOD']默认情况下评估为'GET' - $_SERVER['REQUEST_METHOD'] evaluates to to 'GET' by default 内部$ _SERVER [“ REQUEST_METHOD”]表单的CSRF - CSRF for internal $_SERVER[“REQUEST_METHOD”] form 检查$ _SERVER ['REQUEST_METHOD'] =='POST'的原因? - Reason for checking if $_SERVER['REQUEST_METHOD'] == 'POST'? $ _SERVER [“ REQUEST_METHOD”] ==“ POST”给出错误 - $_SERVER[“REQUEST_METHOD”] == “POST” giving error $ _SERVER ['REQUEST_METHOD']仍然可行吗? - Is $_SERVER['REQUEST_METHOD'] still viable? $_SERVER["REQUEST_METHOD"] == "POST" 中未定义的索引 - Undefined index in $_SERVER["REQUEST_METHOD"] == "POST" 如何将$ _SERVER ['REQUEST_METHOD']并置为字符串 - How to Concacenate $_SERVER['REQUEST_METHOD'] to a string
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM