PHP:如果我允许用户将内容添加到双引号变量中,是否可以将其操作为漏洞?
This code is used inside a closed source CMS:
If I have a php file set up like this
$var1 = ""; $var2 = ""; $var3 = "";
And allow people to add their own content into the variables, can this be manipulated and turned into a vulnberability? The only way I will be using these variables is echoing out the variables contents and returning the variable in a function.
I just want to make sure that php code can't be entereed into the variables somehow and be processed. I'm not 100% aware of all php vulnerabilities, so figured I'd ask on here.
EDIT
So to give a little more information: I am using this inside a closed source CMS that I've developed. I am giving textarea's for the users to type in their content for that particular variable. They type in their variables, and then it saves to a page via file_put_contents(). This page is a php page included in pages that use this, and basically prevents me from having to store all these variables inside a database. To use the variables, they type (in a template engine) {%var1%} and the variables is replaced with the string using a return from the template engine.
此代码在封闭源CMS中使用: p>
如果我有 一个像这样设置的php文件 p>
$ var1 =“”; $ var2 =“”; $ var3 =“”;
code> pre>
并且允许人们将自己的内容添加到变量中,这可以被操纵并变成易受攻击的吗? 我将使用这些变量的唯一方法是回显变量内容并在函数中返回变量。 p>
我只是想确保php代码无法进入 变量以某种方式被处理。 我不是100%意识到所有的php漏洞,所以我想在这里问。 p>
编辑 h2>
所以要多一点 信息:我在我开发的封闭源CMS中使用它。 我正在给textarea用户输入该特定变量的内容。 他们输入变量,然后通过file_put_contents()保存到页面。 这个页面是一个包含在使用它的页面中的php页面,基本上可以防止我将所有这些变量存储在数据库中。 要使用变量,他们键入(在模板引擎中){%var1%},并使用模板引擎返回的变量替换变量。 p>
div>
It depends how you're setting $var1-3, you haven't given us any information on this.
If it's coming from the user (including $_SERVER) they could set it to anything.
This only becomes a risk if you are working with a database (they could use SQL injection) or printing their value to the page (they could provide javascript).
There are many ways of avoiding these issues, for example escaping html chars with htmlspecialchars() will avoid javascript injection as it converts the <script> tags to text.