Php security for entering location header via $ _GET

Question

Php security for entering location header via $ _GET

I have this code on my page:

header ("Location: $ page");

The $ page is passed the script as a GET variable, do I need any security? (if so)

I was going to just use addlashes (), but that would fill the url ...

+3

security php

Hintswen May 22 '09 at 12:14

source share

4 answers

. , , script - .

- - :

!

, , , . , PHP 4.4.2 5.1.2 , URI , . , ?page=%68%74%74%70%3a%2f%2f%65%76%69%6c%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d%2f, URL- ?page=http://evil.example.com/.

+3

Gumbo 22 '09 12:30

, . , , , , . , , , , . :

$safe_pages = array('index.php', 'login.php', 'signup.php');
if (in_array($page, $safe_pages)) {
  header("Location: $page");
}
else {
  echo 'That page is not accessible.';
}

+2

Justin poliey May 22 '09 at 12:22

source share

Or at least define a whitelist of allowed URLs and redirect the user only if the URL that they set is in the GET variable is in the list.

0

Brian May 22, '09 at 12:51

source share

soulmerge · Accepted Answer · 2009-05-22T12:21:30+0000

I, , , , ( www.yoursite.com?page=badsite.com). , badsite.com , , , .

$urls , :

$urls = array(
    'pageName1' => '/link/to/page/number/1',
    'pageNumber2' => '/link/to/page/number/2',
    'fancyPageName3' => '/link/to/page/number/3',
);
# Now your URL can look like this:
# www.yoursite.com?page=pageName1

Php security for entering location header via $ _GET

More articles: