Deprecated: Optional parameter $keys declared before required parameter $cms_id is implicitly treated as a required parameter in /home/www/dev/work/class/blog/CmsKey.php on line 75

Deprecated: Creation of dynamic property lvesu\lvesu\controller\blog\php::$title is deprecated in /home/www/dev/work/website/lvesu/class/controller/blog/php.php on line 28

Deprecated: Creation of dynamic property lvesu\lvesu\controller\blog\php::$outlink is deprecated in /home/www/dev/work/website/lvesu/template/blog/cms/php.manual.tpl on line 2

Deprecated: Creation of dynamic property lvesu\lvesu\controller\blog\php::$status is deprecated in /home/www/dev/work/website/lvesu/template/blog/index.head.php on line 2
PHP - Manual: Request Injection Attacks - 互联网笔记

略微加速

PHP官方手册 - 互联网笔记

PHP - Manual: Request Injection Attacks

2025-10-24

Request Injection Attacks

If you are passing $_GET (or $_POST) parameters to your queries, make sure that they are cast to strings first. Users can insert associative arrays in GET and POST requests, which could then become unwanted $-queries.

A fairly innocuous example: suppose you are looking up a user's information with the request http://www.example.com?username=bob. Your application creates the query $q = new \MongoDB\Driver\Query( [ 'username' => $_GET['username'] ]).

Someone could subvert this by getting http://www.example.com?username[$ne]=foo, which PHP will magically turn into an associative array, turning your query into $q = new \MongoDB\Driver\Query( [ 'username' => [ '$ne' => 'foo' ] ] ), which will return all users not named "foo" (all of your users, probably).

This is a fairly easy attack to defend against: make sure $_GET and $_POST parameters are the type you expect before you send them to the database. PHP has the filter_var() function to assist with this.

Note that this type of attack can be used with any database interaction that locates a document, including updates, upserts, deletes, and findAndModify commands.

See » the main documentation for more information about SQL-injection-like issues with MongoDB.

添加备注

用户贡献的备注

此页面尚无用户贡献的备注。

官方地址:https://www.php.net/manual/en/mongodb.security.request_injection.php

北京半月雨文化科技有限公司.版权所有 京ICP备12026184号-3