即将其存储在会话中,然后当用户登录时,重定向到该页面?
$_SESSION['last_page'] = $_SERVER['PHP_SELF'];
//(in a common file on all pages)
然后登录后:
header('location: ' . $_SESSION['last_page']);`
我想知道,因为我读到人们可以修改某些键的值$_SERVER
改用会更好SCRIPT_NAME还是可以PHP_SELF?
问问题
2015 次
3 回答
4
It can be used for XSS vulnerables.
Don't risk it and use
$_SERVER['SCRIPT_NAME'];
instead.
于 2013-04-14T11:47:45.467 回答
2
设置 HTTP 标头时,不应为 Location 提供相对路径/URL,请指定脚本的完整 URL。
$_SESSION['last_page'] = "http://" . $_SERVER["SERVER_NAME"] . $_SERVER["PHP_SELF"];
header('Location: ' . $_SESSION['last_page']);
$_SERVER["SCRIPT_NAME"]&之间的区别在于$_SERVER["PHP_SELF"]“PHP_SELF记住”在 URL 中引用 PHP 脚本之后指定的任何信息。如果您不需要这些额外信息,只需使用$_SERVER["SCRIPT_NAME"].
于 2013-04-14T11:50:09.257 回答
0
Sessions variables cannot be trusted directly. They are considered user input just like GET or POST variables. Therefore I suggest you to list a number of possibilities (or alternatively use a REGEX) to test if $_SESSION['last_page'] is valid, before use it, especially in a redirect.
于 2013-04-14T11:46:50.733 回答