如何防止包含的PHP脚本更改位置URL?

时间:2021-09-26 07:11:23

I'm including a PHP script that changes the URL.

我包含一个更改URL的PHP​​脚本。

// index.php
ob_start();
include "script.php";
   // This script redirects using  header("Location:");
$out = ob_get_clean();
// I use the $out data for calculations
echo $out;

Is there a simple way to counter or undo this unwanted redirect? How about:

有没有一种简单的方法来反击或撤消这种不需要的重定向?怎么样:

header("Location: index.php");   // redirect back to self

But this causes an endless redirect loop... any ideas?

但这导致无休止的重定向循环...任何想法?

Or is there a way to strip out the header() calls from the $out buffer, preventing it from ever reaching the client?

或者有没有办法从$ out缓冲区中去掉header()调用,防止它到达客户端?

6 个解决方案

#1


Just for future references. As of PHP 5.3 there's a new function called header_remove() which helps dealing with such situations.

仅供将来参考。从PHP 5.3开始,有一个名为header_remove()的新函数可以帮助处理这种情况。

#2


You could try to overwrite that header field with an invalid value, such as:

您可以尝试使用无效值覆盖该标头字段,例如:

header('Location: ', true);

But I don’t know how the clients react on that.

但我不知道客户对此的反应。

#3


There isn't really a good way to do that. Two things come to mind:

没有一个很好的方法可以做到这一点。我想到两件事:

  1. Open script.php as a text file, strip out any header() commands and then eval() the result.
  2. 打开script.php作为文本文件,删除任何header()命令,然后eval()结果。

  3. Echo a space before you include script.php and then trap the warning that PHP generates about issuing a header() after the output has already started. You'd need to echo the space before your output buffering.
  4. 在包含script.php之前回显一个空格,然后在输出已经开始之后捕获PHP生成的关于发出header()的警告。在输出缓冲之前,您需要回显空间。

#4


What about including the file first as a variable with file_get_contents(), stripping out the unwanted headers and then running it with PHP code (I won't mention the evil word used to parse a PHP string as PHP code)?

如何首先将文件作为变量包含在file_get_contents()中,删除不需要的标头,然后使用PHP代码运行它(我不会提到用于解析PHP字符串作为PHP代码的恶意词)?

#5


If you don't have PHP5.3 at your disposal (you probably don't), Gumbo's answer does not work and you don't want to use eval, then the only other option I can see, is the use of streams. This is however yet another, more flexible but complex, form of eval. Streams, combined with tokenizer, and you'll be able to get rid of that function call with a simple:

如果您没有PHP5.3可供使用(您可能没有),Gumbo的答案不起作用,您不想使用eval,那么我能看到的唯一其他选项是使用流。然而,这是另一种更灵活但更复杂的评估形式。 Streams,与tokenizer结合使用,您将能够通过简单的方式摆脱该函数调用:

require 'no-header://script.php';

#6


Since you have the complete text in a string before you output it, you can simple remove the headers you want with a search and replace (using a regex for example).

由于在输出之前在字符串中有完整的文本,因此可以通过搜索和替换(例如使用正则表达式)简单地删除所需的标题。

#1


Just for future references. As of PHP 5.3 there's a new function called header_remove() which helps dealing with such situations.

仅供将来参考。从PHP 5.3开始,有一个名为header_remove()的新函数可以帮助处理这种情况。

#2


You could try to overwrite that header field with an invalid value, such as:

您可以尝试使用无效值覆盖该标头字段,例如:

header('Location: ', true);

But I don’t know how the clients react on that.

但我不知道客户对此的反应。

#3


There isn't really a good way to do that. Two things come to mind:

没有一个很好的方法可以做到这一点。我想到两件事:

  1. Open script.php as a text file, strip out any header() commands and then eval() the result.
  2. 打开script.php作为文本文件,删除任何header()命令,然后eval()结果。

  3. Echo a space before you include script.php and then trap the warning that PHP generates about issuing a header() after the output has already started. You'd need to echo the space before your output buffering.
  4. 在包含script.php之前回显一个空格,然后在输出已经开始之后捕获PHP生成的关于发出header()的警告。在输出缓冲之前,您需要回显空间。

#4


What about including the file first as a variable with file_get_contents(), stripping out the unwanted headers and then running it with PHP code (I won't mention the evil word used to parse a PHP string as PHP code)?

如何首先将文件作为变量包含在file_get_contents()中,删除不需要的标头,然后使用PHP代码运行它(我不会提到用于解析PHP字符串作为PHP代码的恶意词)?

#5


If you don't have PHP5.3 at your disposal (you probably don't), Gumbo's answer does not work and you don't want to use eval, then the only other option I can see, is the use of streams. This is however yet another, more flexible but complex, form of eval. Streams, combined with tokenizer, and you'll be able to get rid of that function call with a simple:

如果您没有PHP5.3可供使用(您可能没有),Gumbo的答案不起作用,您不想使用eval,那么我能看到的唯一其他选项是使用流。然而,这是另一种更灵活但更复杂的评估形式。 Streams,与tokenizer结合使用,您将能够通过简单的方式摆脱该函数调用:

require 'no-header://script.php';

#6


Since you have the complete text in a string before you output it, you can simple remove the headers you want with a search and replace (using a regex for example).

由于在输出之前在字符串中有完整的文本,因此可以通过搜索和替换(例如使用正则表达式)简单地删除所需的标题。