问题描述
在URL查询字符串中使用多维数组合成器实际上安全/有效吗?
Is it actually safe/valid to use multidimensional array synthax in the URL query string?
http://example.com?abc[]=123&abc[]=456
似乎可以在所有浏览器中使用,我一直认为可以使用,但根据本文的评论,它不是: http://www.456bereastreet.com/archive/201008/what_characters_are_allowed_unencoded_in_query_strings/#comment4
It seems to work in every browser and I always thought it was OK to use, but accodring to a comment in this article it is not: http://www.456bereastreet.com/archive/201008/what_characters_are_allowed_unencoded_in_query_strings/#comment4
我想听听第二意见.
推荐答案
答案并不简单.
以下摘自RFC 3986的3.2.2节:
The following is extracted from section 3.2.2 of RFC 3986 :
此似乎通过明确声明URI中的其他任何地方都不允许使用方括号来回答该问题.但是方括号字符和百分比编码的方括号字符之间是有区别的.
This seems to answer the question by flatly stating that square brackets are not allowed anywhere else in the URI. But there is a difference between a square bracket character and a percent encoded square bracket character.
以下摘自RFC 3986第3节的开头:
The following is extracted from the beginning of section 3 of RFC 3986 :
-
语法成分
Syntax Components
通用URI语法由
的层次序列组成 称为方案,权限,路径,查询和
的组件 片段.
The generic URI syntax consists of a hierarchical sequence of
components referred to as the scheme, authority, path, query, and
fragment.
URI =方案:"较高部分[?"查询] [#"片段]
URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
因此,查询"是"URI"的组成部分.
So the "query" is a component of the "URI".
以下摘自RFC 3986的2.2节:
The following is extracted from section 2.2 of RFC 3986 :
URI包含由
分隔的组件和子组件 保留"集中的字符.这些字符称为
之所以保留",是因为
可以(或可以不)将它们定义为定界符 通用语法,每种方案特定的语法或
URI的取消引用算法的特定于实现的语法.
URI组件的数据是否与保留的冲突
字符用作分隔符的目的,那么冲突的数据必须
在URI形成之前进行百分比编码.
URIs include components and subcomponents that are delimited by
characters in the "reserved" set. These characters are called
"reserved" because they may (or may not) be defined as delimiters by
the generic syntax, by each scheme-specific syntax, or by the
implementation-specific syntax of a URI's dereferencing algorithm.
If data for a URI component would conflict with a reserved
character's purpose as a delimiter, then the conflicting data must
be percent-encoded before the URI is formed.
reserved = gen-delims / sub-delims
gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="
因此,方括号可能会出现在查询字符串中,但前提是它们是百分比编码的.除非不是,否则将在第2.2节中进一步解释:
So square brackets may appear in a query string, but only if they are percent encoded. Unless they aren't, to be explained further down in section 2.2 :
因此,因为仅在主机"子组件中允许使用方括号,所以除非在RFC 3986中明确允许未编码的方括号包含,否则应"在其他组件和子组件中以及在这种情况下在查询"组件中对它们进行百分比编码.表示查询组件中的数据,不是.
So because square brackets are only allowed in the "host" subcomponent, they "should" be percent encoded in other components and subcomponents, and in this case in the "query" component, unless RFC 3986 explicitly allows unencoded square brackets to represent data in the query component, which is does not.
但是,如果产生URI的应用程序"无法执行其应该"执行的操作,则通过在查询中保留方括号未编码,则URI的读者不会直接拒绝URI.相反,方括号应被视为属于查询组件的数据,因为方括号未在该组件中用作定界符.
However, if a "URI producing application" fails to do what it "should" do, by leaving square brackets unencoded in the query, then readers of the URI are not to reject the URI outright. Instead, the square brackets are to be considered as belonging to the data of the query component, since they are not used as delimiters in that component.
例如,这就是为什么当PHP接受未编码和百分比编码的方括号作为查询字符串中的有效字符,甚至为它们指定特殊用途时,它也不违反RFC 3986.但是,似乎试图通过不对方括号进行百分比编码来利用此漏洞的作者违反了RFC 3986.
This is why, for example, it is not a violation of RFC 3986 when PHP accepts both unencoded and percent encoded square brackets as valid characters in a query string, and even assigns to them a special purpose. However, it would appear that authors who try to take advantage of this loophole by not percent encoding square brackets are in violation of RFC 3986.
这篇关于URL查询字符串中使用方括号的数组语法是否有效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!