什么是从我的PHP网站过滤无效的utf8?
[英]what is filtering invalid utf8 from my PHP website?
问题描述
My website is fully converted to use utf-8, (mysql, http headers, PHP mb_string etc). 
我的网站完全转换为使用utf-8,(mysql,http标头,PHP mb_string等)。
Im doing some penetration testing and trying to POST invalid utf to one of the scripts (using BurpSuite). 我做了一些渗透测试,并试图将无效的utf POST到其中一个脚本(使用BurpSuite)。
But when I post the invalid utf, an just hex-dump the $_POST var, I see that the invalid utf sequence has already been sanitised before I try to validate it using mb_detect_encoding. 但是当我发布无效的utf时,只是十六进制转储$ _POST var,我看到无效的utf序列在我尝试使用mb_detect_encoding进行验证之前已经被清理过了。
This sounds like good news for me, but I want to know which layer is transforming the POST data? 这听起来对我来说是个好消息,但我想知道哪一层正在改变POST数据?
Is it a side-effect of the Content-Type HTTP Header, maybe my webserver is doing it (lighttpd). 它是Content-Type HTTP Header的副作用,也许我的网络服务器正在这样做(lighttpd)。 Or is it PHP itself doing it, when populating $_POST? 或者,当填充$ _POST时,它本身就是PHP吗?
I expected to see the invalid utf hexdumped, leaving me to sanitise it myself. 我希望看到无效的utf hexdumped,让我自己清理它。
1 个解决方案
解决方案1
1 已采纳 2011-10-27 22:17:56
PHP itself does not filter the POST data, it just handles it as binary data which is always "valid" (it's just data, nothing to validate). PHP本身不会过滤POST数据,它只是将其作为二进制数据处理,它始终是“有效的”(它只是数据,无需验证)。
I would therefore suspect that there is some module with your webserver that is changing the data or there's some PHP extension that is filtering the data. 因此,我怀疑你的网络服务器有一些模块正在改变数据,或者有一些PHP扩展正在过滤数据。
Check if you've got a web-firewall installed with your webserver and the list of extensions you're loading with PHP and if there is something input filtering related. 检查您的网络服务器是否安装了Web防火墙,以及您使用PHP加载的扩展列表以及是否存在与输入过滤相关的内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.