PHP,通过POST传递数组
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14071587/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP, pass array through POST
提问by user1722791
Which is the most secure way to send an array through POST?
通过哪种方式发送数组最安全POST?
foreach ($id as $array)
{
<input type="hidden" name="prova[]" value="<?php echo $array; ?>"/>
}
<input type="submit" name="submit"/>
or using implode()to create a single variable, pass the variable and then use explode()to get back the values into a new array?
或implode()用于创建单个变量,传递变量,然后用于explode()将值取回新数组?
回答by MrGlass
EditIf you are asking about security, see my addendum at the bottom Edit
编辑如果您询问安全性,请参阅底部的我的附录编辑
PHP has a serializefunction provided for this specific purpose. Pass it an array, and it will give you a string representation of it. When you want to convert it back to an array, you just use the unserializefunction.
PHP 具有为此特定目的提供的序列化函数。传递给它一个数组,它会给你一个字符串表示。当您想将其转换回数组时,只需使用反序列化函数即可。
$data = array('one'=>1, 'two'=>2, 'three'=>33);
$dataString = serialize($data);
//send elsewhere
$data = unserialize($dataString);
This is often used by lazy coders to save data to a database. Not recommended, but works as a quick/dirty solution.
这通常被懒惰的程序员用来将数据保存到数据库中。不推荐,但可以作为快速/肮脏的解决方案。
Addendum
附录
I was under the impression that you were looking for a way to send the data reliably, not "securely". No matter how you pass the data, if it is going through the users system, you cannot trust it at all. Generally, you should store it somewhere on the server & use a credential (cookie, session, password, etc) to look it up.
我的印象是您正在寻找一种方法来可靠地发送数据,而不是“安全地”发送数据。无论您如何传递数据,如果它通过用户系统,您就根本无法信任它。通常,您应该将它存储在服务器上的某个位置并使用凭据(cookie、会话、密码等)来查找它。
回答by seamus
http://php.net/manual/en/reserved.variables.post.php
http://php.net/manual/en/reserved.variables.post.php
The first comment answers this.
第一条评论回答了这个问题。
<form ....>
<input name="person[0][first_name]" value="john" />
<input name="person[0][last_name]" value="smith" />
...
<input name="person[1][first_name]" value="jane" />
<input name="person[1][last_name]" value="jones" />
</form>
<?php
var_dump($_POST['person']);
array (
0 => array('first_name'=>'john','last_name'=>'smith'),
1 => array('first_name'=>'jane','last_name'=>'jones'),
)
?>
The name tag can work as an array.
名称标签可以用作数组。
回答by laxonline
You could put it in the session:
你可以把它放在会话中:
session_start();
$_SESSION['array_name'] = $array_name;
Or if you want to send it via a form you can serialize it:
或者,如果您想通过表单发送它,您可以将其序列化:
<input type='hidden' name='input_name' value="<?php echo htmlentities(serialize($array_name)); ?>" />
$passed_array = unserialize($_POST['input_name']);
Note that to work with serialized arrays, you need to use POST as the form's transmission method, as GET has a size limit somewhere around 1024 characters.
请注意,要使用序列化数组,您需要使用 POST 作为表单的传输方法,因为 GET 有大约 1024 个字符的大小限制。
I'd use sessions wherever possible.
我会尽可能使用会话。
回答by Chris
There are two things to consider: users can modify forms, and you need to secure against Cross Site Scripting (XSS).
有两件事需要考虑:用户可以修改表单,并且您需要防止跨站点脚本 (XSS)。
XSS
跨站脚本攻击
XSS is when a user enters HTML into their input. For example, what if a user submitted this value?:
XSS 是指用户在其输入中输入 HTML 时。例如,如果用户提交了这个值怎么办?:
" /><script type="text/javascript" src="http://example.com/malice.js"></script><input value="
This would be written into your form like so:
这将被写入您的表单,如下所示:
<input type="hidden" name="prova[]" value="" /><script type="text/javascript" src="http://example.com/malice.js"></script><input value=""/>
The best way to protect against this is to use htmlspecialchars()to secure your input. This encodes characters such as <into <. For example:
防止这种情况的最佳方法是使用htmlspecialchars()保护您的输入。这会将字符编码<为<. 例如:
<input type="hidden" name="prova[]" value="<?php echo htmlspecialchars($array); ?>"/>
You can read more about XSS here: https://www.owasp.org/index.php/XSS
您可以在此处阅读有关 XSS 的更多信息:https: //www.owasp.org/index.php/XSS
Form Modification
表格修改
If I were on your site, I could use Chrome's developer tools or Firebug to modify the HTML of your page. Depending on what your form does, this could be used maliciously.
如果我在您的网站上,我可以使用 Chrome 的开发人员工具或 Firebug 来修改您页面的 HTML。根据您的表单的功能,这可能会被恶意使用。
I could, for example, add extra values to your array, or values that don't belong in the array. If this were a file system manager, then I could add files that don't exist or files that contain sensitive information (e.g.: replace myfile.jpgwith ../index.phpor ../db-connect.php).
例如,我可以向数组添加额外的值,或者不属于该数组的值。如果这是一个文件系统管理器,那么我可以添加不存在的文件或包含敏感信息的文件(例如:替换myfile.jpg为../index.php或../db-connect.php)。
In short, you always need to check your inputs later to make sure that they make sense, and only use safe inputs in forms. A File ID (a number) is safe, because you can check to see if the number exists, then extract the filename from a database (this assumes that your database contains validated input). A File Nameisn't safe, for the reasons described above. You must either re-validate the filename or else I could change it to anything.
简而言之,您总是需要稍后检查您的输入以确保它们有意义,并且仅在表单中使用安全输入。文件 ID(数字)是安全的,因为您可以检查该数字是否存在,然后从数据库中提取文件名(假设您的数据库包含经过验证的输入)。由于上述原因,文件名不安全。您必须重新验证文件名,否则我可以将其更改为任何内容。
回答by Naftali aka Neal
Why are you sending it through a post if you already have it on the server (PHP) side?
如果您已经在服务器(PHP)端拥有它,为什么还要通过帖子发送它?
Why not just save the array to s $_SESSIONvariable so you can use it when the form gets submitted, that might make it more "secure" since then the client cannot change the variables by editing the source.
为什么不将数组保存到 s$_SESSION变量,以便在提交表单时使用它,这可能会使其更加“安全”,因为客户端无法通过编辑源来更改变量。
It all depends on what you reallywant to do.
这一切都取决于你真正想要做什么。
