将PHP中的_GET var字符串清除为仅字母

时间:2017-07-24 22:34:44

标签: php html mysql mysqli

我有常用的函数php包含一个文件并将其显示为像这样的页面

index.php?F=contact
<?php
$file=$_GET['F'];
include('the_files/'.$file.'.php');
?>
This will display file contact.php

由于安全性,我想过滤

$file=$_GET['F'];

使用某种代码,所以只有没有带有斜杠的simbols的文本才能进入INCLUDE

我试过

 <?php
    $clean_file=mysqli_real_escape_string($clean_file,$_GET['F']);
    include('the_files/'.$clean.'.php');
    ?>

但似乎这只是为了清理MySQLi ......

知道怎么做吗?

4 个答案:

答案 0 :(得分:1)

尝试:

$file = preg_replace('/[^a-z_\-]/i', '', $_GET['F']);

当然,如果他们试图破解您的网页,我会先运行测试并将其发送给IC3。

答案 1 :(得分:0)

你是对的,允许用户控制哪个脚本被执行是非常棘手的。我会更进一步,只是消毒输入。相反,我会分析完整路径,并确保它在允许的目录中。

// path to include files, relative to the document root
const INCLUDE_DIR = '/the_files/';

$file = $_GET['F'];

// resolve the real path (after resolving ../ and ./)
$fileFullPath = realpath(INCLUDE_DIR . $file);

// if file doesn't exist
if($fileFullPath === false ||
    // or the file is not in INCLUDE_DIR
    str_replace($file,'',$fileFullPath) != $_SERVER['DOCUMENT_ROOT'] . INCLUDE_DIR
): 
    http_response_code(404); // 404 Not Found error
    exit;
endif;

// here we know that the file exists and is in INCLUDE_DIR
include $fileFullPath;

答案 2 :(得分:0)

您可以执行以下操作:

像这样制作白名单并检查参数值是否在白名单中。

$whitelist = array('aaa', 'bbb', 'ccc');

if(in_array($_GET['page'], $whitelist)){
 include($_GET['page'].'.php');
}else{
 include('default.php');
}

或检查,如果文件存在,是否所有可能的值都是文件名

$file = preg_replace('/[^a-z]/', '', $_GET['page']).'.php'; // remove all non-a-z-Characters

if(file_exists($file)){
 include($file);
}else{
 include('default.php');
}

答案 3 :(得分:0)

<div class="artdeco-toast-inner" data-ember-action="" data-ember-action-3994="3994">
    <li-icon aria-hidden="true" type="success-pebble-icon" class="artdeco-toast-icon"><svg viewBox="0 0 24 24" width="24px" height="24px" x="0" y="0" preserveAspectRatio="xMinYMin meet" class="artdeco-icon"><g class="large-icon" style="fill: currentColor">
        <g id="success-pebble-icon">
          <g>
            <circle class="circle" r="9.1" stroke="currentColor" stroke-width="1.8" cx="12" cy="12" fill="none" transform="rotate(-90 12 12)"></circle>
            <path d="M15.667,8L17,9.042l-5.316,7.36c-0.297,0.395-0.739,0.594-1.184,0.599c-0.455,0.005-0.911-0.195-1.215-0.599l-2.441-3.456l1.416-1.028l2.227,3.167L15.667,8z" fill="currentColor"></path>
            <rect style="fill:none;" width="24" height="24"></rect>
          </g>
        </g>
        <g id="Layer_1">
        </g>
      </g></svg></li-icon>
    <p class="artdeco-toast-message">
              Invitation sent to xxxxx
        <button class="action" data-ember-action="" data-ember-action-3995="3995">
          Visualizar perfil
        </button>

    </p>
  </div>
相关问题
最新问题