PHP Header Location with parameter

2020-02-29 11:17发布

站内问答 / PHP
1874 4 4

Is it possible to append a parameter to a PHP Header Location? I'm having trouble getting it to work. Is this syntax actually allowed?

$qry = $_SERVER['QUERY_STRING'];
header('Location: http://localhost/blast/v2/?$qry ') ;

it just won't replace $qry wit its actual value....why??

in the browser it ends up looking like this:

http://localhost/blast/v2/?$qry

thanks

4条回答
神经病院院长
2楼-- · 2020-02-29 11:45

I know this is a very old post, but please, do not do this. Parameters in a header are XSS vulnerable. You can read more about XSS'ing here: owasp.org/index.php/Cross-site_Scripting_(XSS)

查看更多
0人赞 添加讨论(0) 举报
我欲成王,谁敢阻挡
3楼-- · 2020-02-29 11:51

Change the single quotes to double quotes:

header("Location: http://localhost/blast/v2/?$qry");

A single quoted string in PHP is treated as a string literal, which is not parsed for variables. Double quoted strings are parsed for variables, so you will get whatever $qry contains appended, instead of literally $qry.

查看更多
0人赞 添加讨论(0) 举报
可以哭但决不认输i
4楼-- · 2020-02-29 11:56

wiles How to Fix the XSS attack on header location

$param = $_REQUEST['bcd'];
header("Location: abc.php/?id=$param");
查看更多
0人赞 添加讨论(0) 举报
Lonely孤独者°
5楼-- · 2020-02-29 12:01

You can also add multiple parameters via a header like:

$divert=$row['id']."&param1=".($param1)."&param2=".($param2);
header("Location:showflagsab.php?id=$divert");

which adds the two additional paramaters to the original id

These can be extracted using the $get method at their destination

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)