Question

确保$page和$getVars干净安全的最佳方法是什么？

//fetch the passed request
$request = $_SERVER['QUERY_STRING'];

//parse the page request and other GET variables
$parsed = explode('&', $request);

//the page is the first element
$page = array_shift($parsed);

//the rest of the array are GET statements, parse them out;
$getVars = array();
foreach($parsed as $argument)
{
  //split GET vars along '=' symbol to seperate the variable and its value
  list($variable, $value) = explode('=', $argument);
  $getVars[$variable] = $value;
}

Answer 1

在您的情况下，您只想使用$_GET或$_REQUEST代替$_SERVER['QUERY_STRING']，而其他人已经提到过。

为了验证和清理变量，您应该查看PHP 5.2中引入的PHP's Data Filtering functions。您还可以找到一些与此类似的示例in the PHP manual：

if (filter_var('0.0.0.0', FILTER_VALIDATE_IP) !== false) {
    // IP address is valid
}

或

$options = array(
    'options' => array(
        'min_range' => 0,
        'max_range' => 2,
    )
);

if (filter_var(1, FILTER_VALIDATE_INT, $options) !== false) {
    // 1 is between 0 and 2
}

清理查询字符串的最佳方法是什么？

1 个答案: