$ _SERVER ['REQUEST_URI']可靠性?
[英]$_SERVER['REQUEST_URI'] reliability?
问题描述
In one of my websites I use $_SERVER['REQUEST_URI'] to establish whether a non-registered user can see the content of a page or not. 
在我的一个网站中,我使用$_SERVER['REQUEST_URI']来确定未注册用户是否可以看到页面的内容。
In the manual there is written about $_SERVER['REQUEST_URI'] : 在手册中写了关于$_SERVER['REQUEST_URI'] :
The URI which was given in order to access this page;
My question is, is it in any client side way possible for a client to access eg. 我的问题是,客户端是否可以通过任何客户端方式访问。 index.php even though $_SERVER['REQUEST_URI'] contains a different value? index.php即使$_SERVER['REQUEST_URI']包含不同的值?
I know that $_SERVER['REQUEST_URI'] contains the page that the client asked and that the server returns but if I don't ask myself these kind of questions once in a while I'm not happy 我知道$_SERVER['REQUEST_URI']包含客户端询问的页面和服务器返回的页面,但是如果我偶尔不问自己这些问题,我会感到不高兴
Also is it considered good practice to use $_SERVER['REQUEST_URI'] in this way? 以这种方式使用$_SERVER['REQUEST_URI']是否也被认为是一种好习惯?
EDIT: I included the script I use as it was too generic 编辑:我包括了我使用的脚本,因为它太通用了
list($c_page) = explode('.',substr($_SERVER['REQUEST_URI'],1));
define('C_PAGE',$c_page ?: 'index');
define('LOGGED',$_SESSION['user']['id'] ?: 0);
if(in_array(C_PAGE,array('page_1','page_2','page_3')) && !LOGGED){ header('Location: login.html'); exit; }
3 个解决方案
解决方案1
1 2012-11-15 09:11:34
You should really track their entrance with a session variable (or a cookie). 您应该使用会话变量(或cookie)真正跟踪它们的进入。 Either of these could be blocked...but they are closer to "foolproof". 这些都可以被阻止...但是它们更接近“万无一失”。 That said, anything can be forged...so use a combination and/or strong unique strings if security is of the utmost importance. 就是说,任何东西都可以伪造的……如果安全性是最重要的,则可以使用组合和/或强壮的唯一字符串。
解决方案2
0 2012-11-15 09:07:52
Personally, I find it more reliable to declare one or more groups (classes) of users that should have access to a file, and then include a page that returns a 401 error if the logged in user if not in any of those groups. 就个人而言,我发现声明一个或多个应该有权访问文件的用户组(类),然后包括一个页面,如果登录的用户不在任何组中,则该页面将返回401错误,这是更可靠的。 eg 例如
session_start();
...
$access = 'admin';
include 'inc/guard.php';
Sounds like in your case you want 'public' and 'logged-in' which is slightly different, but is a case also covered by my guard script. 听起来您需要“公开”和“登录”,这有点不同,但是我的监护人脚本也涵盖了这种情况。 There, I simply check that the $_SESSION variable is empty (I insert stuff into it upon log-in): 在那里,我只是检查$_SESSION变量是否为空(在登录时将东西插入其中):
if($access != 'public' && empty($_SESSION)) {
header('HTTP/1.1 401 Unauthorized', true);
include 'inc/login.php';
exit;
}
解决方案3
0 已采纳 2012-11-15 09:14:13
Depending on the serverside softwarestack you use this variable is set by the webserver or the fastcgi wrapper. 根据服务器端软件堆栈的不同,您使用的变量是由Web服务器或fastcgi包装器设置的。
URL rewriting and non-transparent proxies in your hardware/software stack can influence the value you see within your script. 硬件/软件堆栈中的URL重写和非透明代理可以影响您在脚本中看到的值。
eg Nginx could rewrite the URL from /test.html to /index.php?action=test, then pass it to your webserver. 例如,Nginx可以将URL从/test.html重写为/index.php?action=test,然后将其传递到您的Web服务器。 User would have called /test.html while your application sees /index.php?action=test 当您的应用程序看到/index.php?action=test时,用户会调用/test.html
Conclusion: REQUEST_URI is the URI passed to the webserver and can be used as a reference for URL-based access controls. 结论:REQUEST_URI是传递给Web服务器的URI,可用作基于URL的访问控制的参考。
EDIT: 编辑:
just to avoid confusion, because I've seen the other responses... 只是为了避免造成混乱,因为我已经看到了其他回应...
Your question as I understood: You want to check wether your currently requesting and already password-authorized user has enough permissions to access specific URLs. 据我所知,您的问题是:您想检查一下您当前正在请求且已获得密码授权的用户是否具有足够的权限来访问特定的URL。 Again, yes you can use the request uri as a reference value 同样,可以,您可以将请求uri用作参考值
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.