SERVER['REQUEST

2018-06-14 21:05:04

In one of my websites I use $_SERVER['REQUEST_URI'] to establish whether a non-registered user can see the content of a page or not.

In the manual there is written about $_SERVER['REQUEST_URI'] :

The URI which was given in order to access this page; for instance, '/index.html'.

My question is, is it in any client side way possible for a client to access eg. index.php even though $_SERVER['REQUEST_URI'] contains a different value?

I know that $_SERVER['REQUEST_URI'] contains the page that the client asked and that the server returns but if I don't ask myself these kind of questions once in a while I'm not happy

Also is it considered good practice to use $_SERVER['REQUEST_URI'] in this way?

EDIT: I included the script I use as it was too generic

list($c_page) = explode('.',substr($_SERVER['REQUEST_URI'],1));
define('C_PAGE',$c_page ?: 'index');
define('LOGGED',$_SESSION['user']['id'] ?: 0);
if(in_array(C_PAGE,array('page_1','page_2','page_3')) && !LOGGED){ header('Location: login.html'); exit; }

Depending on the serverside softwarestack you use this variable is set by the webserver or the fastcgi wrapper.

URL rewriting and non-transparent proxies in your hardware/software stack can influence the value you see within your script.

eg Nginx could rewrite the URL from /test.html to /index.php?action=test, then pass it to your webserver. User would have called /test.html while your application sees /index.php?action=test

Conclusion: REQUEST_URI is the URI passed to the webserver and can be used as a reference for URL-based access controls.

EDIT:

just to avoid confusion, because I've seen the other responses...

Your question as I understood: You want to check wether your currently requesting and already password-authorized user has enough permissions to access specific URLs. Again, yes you can use the request uri as a reference value

You should really track their entrance with a session variable (or a cookie). Either of these could be blocked...but they are closer to "foolproof". That said, anything can be forged...so use a combination and/or strong unique strings if security is of the utmost importance.

Personally, I find it more reliable to declare one or more groups (classes) of users that should have access to a file, and then include a page that returns a 401 error if the logged in user if not in any of those groups. eg

session_start();
...
$access = 'admin';
include 'inc/guard.php';

Sounds like in your case you want 'public' and 'logged-in' which is slightly different, but is a case also covered by my guard script. There, I simply check that the $_SESSION variable is empty (I insert stuff into it upon log-in):

if($access != 'public' && empty($_SESSION)) {
    header('HTTP/1.1 401 Unauthorized', true);
    include 'inc/login.php';
    exit;
}

链接地址: http://www.djcxy.com/p/42266.html

上一篇: $是多么可靠

下一篇: SERVER ['REQUEST