stackoom
  简体   繁体   中英

PHP Security Advice on $_GET (combining clean URLs with query string)

 原文  2011-10-26 19:34:30       php

Question

I am using "clean" URLs like this: 

http://localhost/controller/action/param

I access the parameters with a custom function like this my_get(1), my_get(2), etc...

However there are times where I think I need to combine them with query strings. For example: If I need parameter values containing paths with several slashes like: 

http://localhost/controller/action/param?mypath=foo/bar/qux.jpg

I do that because it would be a little harder to implement if done with clean URL.

Now my question is, in combining clean URL and with query string, I only intend to allow this character class: 

[.&=a-z0-9\/_-]

I was wondering would there be any security issue with it? Should I disallow certain characters?

1 answers

solution1
 0  2011-10-26 19:45:41

Don't mind about string formatting, but please validate the path passed... In the example you said: " in the example above, mypath's value will be deleted with unlink();", well, if you don't validate it in worst cases an attacker could delete any file on the filesystem of the server... ;)

So don't bother about validating the string with a regex, but validate the content of the string and make it safe for your environment... :)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question php $_GET not working with clean urls Make clean URLS and retrieve query string PHP combining two URL query string using two GET methods Clean URLs for search query? Clean up URLs with PHP Routing clean URLs in PHP Clean urls in php with / at the end PHP - mod_rewrite clean urls and query strings Clean PathInfo URLs and Query Strings on IIS 5.1 and PHP 5 How to apply php function to $_GET to get clean URLs?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM