[英]$_SERVER[“REQUEST_URI”] is it secure?
i have a question about these function: $_SERVER["REQUEST_URI"].我对这些函数有疑问:$_SERVER["REQUEST_URI"]。 Can somebody tell me if it's safe to use like i use it ( these form i use for new topic in forum )?有人可以告诉我使用它是否安全(这些表格我在论坛中用于新主题)?
<form name="vpid" action="<?php echo htmlspecialchars($_SERVER["REQUEST_URI"]);?>" method="post">
Thank you谢谢
The first thing I'd say is that you probably don't need REQUEST_URI
in this in this context.我要说的第一件事是,在这种情况下,您可能不需要REQUEST_URI
。
If you want a form to post back to the current page, the action
attribute can be set to blank string or a dot;如果你想让一个表单回发到当前页面, action
属性可以设置为空字符串或点; you don't need to specify the whole current URL.您不需要指定整个当前 URL。
In cases where you do need it, the answer is that yes, REQUEST_URI
is safe.在您确实需要它的情况下,答案是肯定的, REQUEST_URI
是安全的。
A lot of values in $_SERVER
are not safe, so it's good to be cautious, but REQUEST_URI
is safe because it represents the address that was used to get to the site;很多价值$_SERVER
是不是安全的,所以它的好是谨慎的,但REQUEST_URI
是安全的,因为它代表的是被用来获取到网站地址; if the address is invalid, then the user wouldn't have been able to get to the server in the first place.如果地址无效,则用户一开始就无法访问服务器。
Other $_SERVER
fields can be hacked;其他$_SERVER
字段可以被黑; it's trivial to spoof things like REMOTE_HOST
and HTTP_REFERER
, so you should never rely on them to be reliable, but REQUEST_URI
ought to be safe.欺骗REMOTE_HOST
和HTTP_REFERER
类的东西是微不足道的,所以你永远不应该依赖它们是可靠的,但REQUEST_URI
应该是安全的。
The main thing here though is that you shouldn't really need it anyway.不过,这里的主要问题是无论如何你都不应该真的需要它。
Already an old question, but no, you cannot trust $_SERVER['REQUEST_URI']
because, it will only be available on an apache server.已经是一个老问题了,但是不,您不能信任$_SERVER['REQUEST_URI']
因为,它只能在 apache 服务器上使用。
Here is how Drupal handles it on the 7.x version以下是 Drupal 在7.x 版本上的处理方式
function request_uri() {
if (isset($_SERVER['REQUEST_URI'])) {
$uri = $_SERVER['REQUEST_URI'];
}
else {
if (isset($_SERVER['argv'])) {
$uri = $_SERVER['SCRIPT_NAME'] . '?' . $_SERVER['argv'][0];
}
elseif (isset($_SERVER['QUERY_STRING'])) {
$uri = $_SERVER['SCRIPT_NAME'] . '?' . $_SERVER['QUERY_STRING'];
}
else {
$uri = $_SERVER['SCRIPT_NAME'];
}
}
// Prevent multiple slashes to avoid cross site requests via the Form API.
$uri = '/' . ltrim($uri, '/');
return $uri;
}
And the WordPress version from v3.0.0 up to now .以及从 v3.0.0 到现在的 WordPress 版本。 Its purpose is to fill in the blanks and normalize the $_SERVER
variables.它的目的是填补空白并规范化$_SERVER
变量。
function wp_fix_server_vars() {
global $PHP_SELF;
$default_server_values = array(
'SERVER_SOFTWARE' => '',
'REQUEST_URI' => '',
);
$_SERVER = array_merge( $default_server_values, $_SERVER );
// Fix for IIS when running with PHP ISAPI.
if ( empty( $_SERVER['REQUEST_URI'] ) || ( 'cgi-fcgi' !== PHP_SAPI && preg_match( '/^Microsoft-IIS\//', $_SERVER['SERVER_SOFTWARE'] ) ) ) {
if ( isset( $_SERVER['HTTP_X_ORIGINAL_URL'] ) ) {
// IIS Mod-Rewrite.
$_SERVER['REQUEST_URI'] = $_SERVER['HTTP_X_ORIGINAL_URL'];
} elseif ( isset( $_SERVER['HTTP_X_REWRITE_URL'] ) ) {
// IIS Isapi_Rewrite.
$_SERVER['REQUEST_URI'] = $_SERVER['HTTP_X_REWRITE_URL'];
} else {
// Use ORIG_PATH_INFO if there is no PATH_INFO.
if ( ! isset( $_SERVER['PATH_INFO'] ) && isset( $_SERVER['ORIG_PATH_INFO'] ) ) {
$_SERVER['PATH_INFO'] = $_SERVER['ORIG_PATH_INFO'];
}
// Some IIS + PHP configurations put the script-name in the path-info (no need to append it twice).
if ( isset( $_SERVER['PATH_INFO'] ) ) {
if ( $_SERVER['PATH_INFO'] == $_SERVER['SCRIPT_NAME'] ) {
$_SERVER['REQUEST_URI'] = $_SERVER['PATH_INFO'];
} else {
$_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'] . $_SERVER['PATH_INFO'];
}
}
// Append the query string if it exists and isn't null.
if ( ! empty( $_SERVER['QUERY_STRING'] ) ) {
$_SERVER['REQUEST_URI'] .= '?' . $_SERVER['QUERY_STRING'];
}
}
}
// Fix for PHP as CGI hosts that set SCRIPT_FILENAME to something ending in php.cgi for all requests.
if ( isset( $_SERVER['SCRIPT_FILENAME'] ) && ( strpos( $_SERVER['SCRIPT_FILENAME'], 'php.cgi' ) == strlen( $_SERVER['SCRIPT_FILENAME'] ) - 7 ) ) {
$_SERVER['SCRIPT_FILENAME'] = $_SERVER['PATH_TRANSLATED'];
}
// Fix for Dreamhost and other PHP as CGI hosts.
if ( strpos( $_SERVER['SCRIPT_NAME'], 'php.cgi' ) !== false ) {
unset( $_SERVER['PATH_INFO'] );
}
// Fix empty PHP_SELF.
$PHP_SELF = $_SERVER['PHP_SELF'];
if ( empty( $PHP_SELF ) ) {
$_SERVER['PHP_SELF'] = preg_replace( '/(\?.*)?$/', '', $_SERVER['REQUEST_URI'] );
$PHP_SELF = $_SERVER['PHP_SELF'];
}
}
Symfony HttpFoundation method is a little bit more complex. Symfony HttpFoundation方法稍微复杂一些。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.