URL中的PHP标记
So I made a landing page for all these forms that the marketing department at my work makes. One of the fields they pass is a URL that I redirect to after I'm done processing - a thank you page.
Recently, I discovered a URL that looked like this:
http://www.oursite.com/folder/thank-you.php?thankyou=free-guide&adgroup=<?php echo nfpa-c ?>&reference=<?php echo ?>
Does this amount to anything but the form creator being dumb? My page is throwing huge errors about security and cross-site scripting, etc. What are the implications of this? Is there any legitimate reason to do this?
EDIT/UPDATE: My landing page is in ASP.NET. The error it mentions is possible cross-site scripting.
因此,我为我工作中的营销部门制作了所有这些表单的目标网页。 他们传递的一个字段是我在完成处理后重定向到的网址 - 感谢页面。 p>
最近,我发现了一个如下所示的网址: p >
http://www.oursite.com/folder/thank-you.php?thankyou=free-guide&adgroup=<?php echo nfpa-c?&gt; &amp; amp; reference =&lt;?php echo?&gt;
code> pre>
除了表单创建者愚蠢之外,这还算什么? 我的页面在安全性和跨站点脚本等方面犯了很大的错误。这有什么影响? 有没有合理的理由这样做? p>
编辑/更新:
我的登录页面是在ASP.NET中。 它提到的错误可能是跨站点脚本。 p>
div>
There is no legitimate reason to pass PHP code on the url like this. In fact it would be a Remote Code Execution Vulnerability, which is as bad as it gets its like like saying "Check Mate". I would make sure that that you don't have this code running, although its likely a bug because in php they would use eval("echo 'nfpa-c'");, you can't eval php tags like that, so its probably untested code.
<?php echo nfpa-c ?
I don't think it's the poster being dumb - this looks more like an outgoing form was not setup properly (e.g. PHP instructions used in a .html page that doesn't get parsed by the PHP interpreter.)
Check out the originating forms and look into their source code.