在PHP中清理查询字符串

我有一个带有查询字符串的网页.

在PHP我有:

$querystring=$_SERVER["QUERY_STRING"];
echo "
test
";

我需要清理查询字符串吗？
如果是,如果不这样做,我该如何消毒以及可能的攻击是什么？

如果您运行的是PHP> = 5.2.0,请使用filter_input或filter_input_array.

假设你的URL和查询字符串是这样的http://example.com/?liquor=gin&mixer=tonic&garnish=lime.

要进行过滤,您可以执行以下操作.

/*
 FILTER_SANITIZE_STRING removes most dangerous characters. That may 
 not always be what you want. Read the PHP filters docs. 

 We are also overwriting the $_GET array (the query string) with the sanitized
 versions of these variables.
*/

$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);

/* 
rebuild query string using white listed variables, 
not $_GET to prevent variable injection as M?rti?š Briedis 
suggests above.
*/

$qv['liquor']  = $_GET['liquor'];
$qv['mixer']   = $_GET['mixer'];
$qv['garnish'] = $_GET['garnish'];

# build and URL encode the query string using the above array.
$querystring = http_build_query( $qv );

您应该使用htmlspecialchars($query, ENT_QUOTES)以防止任何XSS攻击.

echo "
test
"

但是,您应该列出任何参数,因为智能攻击者可以伪造查询并尝试CSRF攻击.