正如前面提到的,这似乎浮现在脑海中的第一件事就是传递信息的非标准方式。这在解析数值时会产生一些困难。虽然对我来说,主要问题不是检查/清除/清理$ _GET上的数据。可能这太明显了,因为几乎所有的答案都是由似乎知道他们在做什么的人给出的,所以我会假设他们只是没有提到它,因为那个
但请记住,如果你不'不检查它,你很容易受到你的脚本的攻击和故障。损害程度取决于您自己的应用程序,因此不容易预测。
在任何情况下,这是我会做什么,包括HTML
<?php
// initialize variables
$variable_1 = false; // assume this is the page you want to load
$variable_2 = false;
$default = 'index.php'; // the idea is to load something controlled by you. index, error, 404, etc.
// process $_GET, check, clean and assign values
if (isset($_GET) !== false) {
foreach ($_GET as $keys => $values) {
// check both, $keys and $values for; character set, length, validity against a white list, content
// using an if to match the $keys garantees that regardless of the order, you will get what you want
if ($keys === 'field_1') {
// do what you have to do with this, for instance ...
$variable_1 = $values;
}
if ($keys === 'field_2') {
// do what you have to do with this, for instance ...
$variable_2 = $values;
}
unset($_GET[$keys]);
}
unset ($keys, $values);
}
// check there are no surprises on $_GET. Load and study anything here
if (empty($_GET) === false) {
// it should be empty, so log what is in here and prepare your code for that
unset($_GET);
} else {
unset($_GET);
}
// process the variables according to what you want to do
// if there are just a few options, and they are not going to change often
// use a switch, otherwise, use a method to check if a file/content exists
// for the request and load it. If it doesn't exist, inform the user
// with out giving away internals and suggest a new destination
// process other variables, here or before this part, wherever makes sense
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>testing get</title>
</head>
<body>
<form method="get" action="test_get_00.php" accept-charset="utf-8">
<p><label for="field_1">write something<input type="text" id="field_1" name="field_1" /></label></p>
<p><label for="field_2">write something<input type="text" id="field_2" name="field_2" /></label></p>
<p><button type="submit">send</button></p>
</form>
</body>
</html>
当然,你可以做一些事情,但如果你正确地准备你的形式,包括字符集,你有更少的担心,或至少有几个更多的已知元素。这不是失败的,但它有帮助。
此外,我上面提到的机制工作在白名单的心态上,这是foreach的想法,在记录日志之后检查你是否期望得到你想要的并丢弃其余部分。
可你打电话的print_r($ _ GET),并显示是什么印? – 2014-02-03 15:26:05