PHP安全之道之switch比较缺陷

作者: 温新

分类: 【PHP基础】

阅读: 1920

时间: 2020-10-11 13:41:01

当在switch中使用case判断数字时,switch会将其中的参数转换为int类型进行计算。

<span style="box-sizing: border-box;padding-right: 0.1px"><span style="box-sizing: border-box;color: rgb(238, 255, 255)">$num</span> <span style="box-sizing: border-box;color: rgb(137, 221, 255)">=</span> <span style="box-sizing: border-box;color: rgb(195, 232, 141)">'2www.ziruchu.com'</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"><span style="box-sizing: border-box;color: rgb(199, 146, 234)">switch</span> (<span style="box-sizing: border-box;color: rgb(238, 255, 255)">$num</span>) {</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">case</span> <span style="box-sizing: border-box;color: rgb(255, 83, 112)">0</span>:</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">  <span style="box-sizing: border-box;color: rgb(199, 146, 234)">echo</span> <span style="box-sizing: border-box;color: rgb(195, 232, 141)">'你被转为了数字,我是0'</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">break</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">case</span> <span style="box-sizing: border-box;color: rgb(255, 83, 112)">1</span>:</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">  <span style="box-sizing: border-box;color: rgb(199, 146, 234)">echo</span> <span style="box-sizing: border-box;color: rgb(195, 232, 141)">'你被转为了数字,我是1'</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">break</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">case</span> <span style="box-sizing: border-box;color: rgb(255, 83, 112)">2</span>:</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">  <span style="box-sizing: border-box;color: rgb(199, 146, 234)">echo</span> <span style="box-sizing: border-box;color: rgb(195, 232, 141)">'你被转为了数字,我是2'</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">break</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">default</span>:</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">  <span style="box-sizing: border-box;color: rgb(199, 146, 234)">echo</span> <span style="box-sizing: border-box;color: rgb(195, 232, 141)">'你是谁?~~~'</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">}</span>

上述代码结果输出了‘你被转为了数字,我是2’。

【解决之道】判断数据的合法性,对不合法的数据即使进行阻断。

<span style="box-sizing: border-box;padding-right: 0.1px"><span style="box-sizing: border-box;color: rgb(238, 255, 255)">$num</span> <span style="box-sizing: border-box;color: rgb(137, 221, 255)">=</span> <span style="box-sizing: border-box;color: rgb(195, 232, 141)">'2www.ziruchu.com'</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"><span style="box-sizing: border-box"></span></span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"><span style="box-sizing: border-box;color: rgb(199, 146, 234)">if</span> (<span style="box-sizing: border-box;color: rgb(137, 221, 255)">!</span><span style="box-sizing: border-box;color: rgb(255, 203, 107)">is_numeric</span>(<span style="box-sizing: border-box;color: rgb(238, 255, 255)">$num</span>)) {</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">die</span>(<span style="box-sizing: border-box;color: rgb(195, 232, 141)">'类型错误,非法访问!'</span>);</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">}</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"><span style="box-sizing: border-box"></span></span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"><span style="box-sizing: border-box;color: rgb(199, 146, 234)">switch</span> (<span style="box-sizing: border-box;color: rgb(238, 255, 255)">$num</span>) {</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">case</span> <span style="box-sizing: border-box;color: rgb(255, 83, 112)">0</span>:</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">  <span style="box-sizing: border-box;color: rgb(199, 146, 234)">echo</span> <span style="box-sizing: border-box;color: rgb(195, 232, 141)">'你被转为了数字,我是0'</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">break</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">case</span> <span style="box-sizing: border-box;color: rgb(255, 83, 112)">1</span>:</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">  <span style="box-sizing: border-box;color: rgb(199, 146, 234)">echo</span> <span style="box-sizing: border-box;color: rgb(195, 232, 141)">'你被转为了数字,我是1'</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">break</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">case</span> <span style="box-sizing: border-box;color: rgb(255, 83, 112)">2</span>:</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">  <span style="box-sizing: border-box;color: rgb(199, 146, 234)">echo</span> <span style="box-sizing: border-box;color: rgb(195, 232, 141)">'你被转为了数字,我是2'</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">break</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px"> <span style="box-sizing: border-box;color: rgb(199, 146, 234)">default</span>:</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">  <span style="box-sizing: border-box;color: rgb(199, 146, 234)">echo</span> <span style="box-sizing: border-box;color: rgb(195, 232, 141)">'你是谁?~~~'</span>;</span><br></br><span style="box-sizing: border-box;padding-right: 0.1px">}</span>

我是小白,期待和优秀的你一起同行!

小白

2020年10月11日

请登录后再评论