±àд°²È« PHP Ó¦ÓóÌÐòµÄÆ߸öÏ°¹ß

ÔÚÌá¼°°²È«ÐÔÎÊÌâʱ£¬ÐèҪעÒ⣬³ýÁËʵ¼ÊµÄƽ̨ºÍ²Ù×÷ϵͳ°²È«ÐÔÎÊÌâÖ®Í⣬Äú»¹ÐèҪȷ±£±àд°²È«µÄÓ¦ÓóÌÐò¡£ÔÚ±àд PHP Ó¦ÓóÌÐòʱ£¬ÇëÓ¦ÓÃÏÂÃæµÄÆ߸öÏ°¹ßÒÔÈ·±£Ó¦ÓóÌÐò¾ßÓÐ×îºÃµÄ°²È«ÐÔ£º
ÑéÖ¤ÊäÈë
±£»¤Îļþϵͳ
±£»¤Êý¾Ý¿â
±£»¤»á»°Êý¾Ý
±£»¤¿çÕ¾µã½Å±¾£¨Cross-site scripting£¬XSS£©Â©¶´
¼ìÑé±íµ¥ post
Õë¶Ô¿çÕ¾µãÇëÇóαÔ죨Cross-Site Request Forgeries£¬CSRF£©½øÐб£»¤
ÑéÖ¤ÊäÈë
ÔÚÌá¼°°²È«ÐÔÎÊÌâʱ£¬ÑéÖ¤Êý¾ÝÊÇÄú¿ÉÄܲÉÓõÄ×îÖØÒªµÄÏ°¹ß¡£¶øÔÚÌá¼°ÊäÈëʱ£¬Ê®·Ö¼òµ¥£º²»ÒªÏàÐÅÓû§¡£ÄúµÄÓû§¿ÉÄÜÊ®·ÖÓÅÐ㣬²¢ÇÒ´ó¶àÊýÓû§¿ÉÄÜÍêÈ«°´ÕÕÆÚÍûÀ´Ê¹ÓÃÓ¦ÓóÌÐò¡£µ«ÊÇ£¬Ö»ÒªÌṩÁËÊäÈëµÄ»ú»á£¬Ò²¾Í¼«ÓпÉÄÜ´æÔڷdz£Ôã¸âµÄÊäÈë¡£×÷ΪһÃûÓ¦ÓóÌÐò¿ª·¢ÈËÔ±£¬Äú±ØÐë×èÖ¹Ó¦ÓóÌÐò½ÓÊÜ´íÎóµÄÊäÈë¡£×Ðϸ¿¼ÂÇÓû§ÊäÈëµÄλÖü°ÕýÈ·Öµ½«Ê¹Äú¿ÉÒÔ¹¹½¨Ò»¸ö½¡×³¡¢°²È«µÄÓ¦ÓóÌÐò¡£
ËäÈ»ºóÎĽ«½éÉÜÎļþϵͳÓëÊý¾Ý¿â½»»¥£¬µ«ÊÇÏÂÃæÁгöÁËÊÊÓÃÓÚ¸÷ÖÖÑéÖ¤µÄÒ»°ãÑéÖ¤Ìáʾ£º
ʹÓð×Ãûµ¥ÖеÄÖµ
ʼÖÕÖØÐÂÑéÖ¤ÓÐÏÞµÄÑ¡Ïî
ʹÓÃÄÚÖÃתÒ庯Êý
ÑéÖ¤ÕýÈ·µÄÊý¾ÝÀàÐÍ£¨ÈçÊý×Ö£©
°×Ãûµ¥ÖеÄÖµ£¨White-listed value£©ÊÇÕýÈ·µÄÖµ£¬ÓëÎÞЧµÄºÚÃûµ¥Öµ£¨Black-listed value£©Ïà¶Ô¡£Á½ÕßÖ®¼äµÄÇø±ðÊÇ£¬Í¨³£ÔÚ½øÐÐÑé֤ʱ£¬¿ÉÄÜÖµµÄÁбí»ò·¶Î§Ð¡ÓÚÎÞЧֵµÄÁбí»ò·¶Î§£¬ÆäÖÐÐí¶àÖµ¿ÉÄÜÊÇδֵ֪»òÒâÍâÖµ¡£
ÔÚ½øÐÐÑé֤ʱ£¬¼ÇסÉè¼Æ²¢ÑéÖ¤Ó¦ÓóÌÐòÔÊÐíʹÓõÄֵͨ³£±È·ÀÖ¹ËùÓÐδֵ֪¸üÈÝÒס£ÀýÈ磬Ҫ°Ñ×Ö¶ÎÖµÏÞ¶¨ÎªËùÓÐÊý×Ö£¬ÐèÒª±àдһ¸öÈ·±£ÊäÈëÈ«¶¼ÊÇÊý×ÖµÄÀý³Ì¡£²»Òª±àдÓÃÓÚËÑË÷·ÇÊý×ÖÖµ²¢ÔÚÕÒµ½·ÇÊý×Öֵʱ±ê¼ÇΪÎÞЧµÄÀý³Ì¡£
±£»¤Îļþϵͳ
2000 Äê 7 Ô£¬Ò»¸ö Web Õ¾µãй¶Á˱£´æÔÚ Web ·þÎñÆ÷µÄÎļþÖеĿͻ§Êý¾Ý¡£¸Ã Web Õ¾µãµÄÒ»¸ö·ÃÎÊÕßʹÓà URL ²é¿´ÁË°üº¬Êý¾ÝµÄÎļþ¡£ËäÈ»Îļþ±»·Å´íÁËλÖ㬵«ÊÇÕâ¸öÀý×ÓÇ¿µ÷ÁËÕë¶Ô¹¥»÷Õß±£»¤ÎļþϵͳµÄÖØÒªÐÔ¡£
Èç¹û PHP Ó¦ÓóÌÐò¶ÔÎļþ½øÐÐÁËÈÎÒâ´¦Àí²¢ÇÒº¬ÓÐÓû§¿ÉÒÔÊäÈëµÄ±äÁ¿Êý¾Ý£¬Çë×Ðϸ¼ì²éÓû§ÊäÈëÒÔÈ·±£Óû§ÎÞ·¨¶ÔÎļþϵͳִÐÐÈκβ»Ç¡µ±µÄ²Ù×÷¡£Çåµ¥ 1 ÏÔʾÁËÏÂÔؾßÓÐÖ¸¶¨ÃûµÄͼÏñµÄ PHP Õ¾µãʾÀý¡£
Çåµ¥ 1. ÏÂÔØÎļþ

<?php
if ($_POST['submit'] == 'Download') {
$file = $_POST['fileName'];
header("Content-Type: application/x-octet-stream");
header("Content-Transfer-Encoding: binary");
header("Content-Disposition: attachment; filename=\"" . $file . "\";