对网站访问者隐藏 *.inc.php
我有一个脚本 myscript.inc.php 处理所有看起来像 /script-blah 的 url 我通过使用以下 .htaccess 来完成此操作
RewriteEngine On
RewriteRule ^script-(.*)$ myscript.inc.php?s=$1 [QSA,L]
,但是用户也可以通过输入 /myscript.inc.php?s=blah 来访问它 我想阻止这种情况发生。我尝试过
<Files ~ "\.inc\.php$">
Order deny,allow
Deny from all
</Files>
,
RewriteCond %{REQUEST_URI} \.inc\.php
RewriteRule .* - [F,L,NS]
它们都阻止用户查看 /myscript.inc.php?s=blah 但它们也会导致 /script-blah 返回 403...
有没有办法正确执行此操作?
I have a script myscript.inc.php which handles all urls that look like /script-blah
I accomplish this by using following .htaccess
RewriteEngine On
RewriteRule ^script-(.*)$ myscript.inc.php?s=$1 [QSA,L]
However users could also access it this way by typing /myscript.inc.php?s=blah
I would like to prevent that. I tried
<Files ~ "\.inc\.php$">
Order deny,allow
Deny from all
</Files>
and
RewriteCond %{REQUEST_URI} \.inc\.php
RewriteRule .* - [F,L,NS]
They both prevent users from viewing /myscript.inc.php?s=blah but they also cause /script-blah to return 403...
Is there a way to do this correctly?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我使用以下方法来保护我的 .inc.php 文件。将以下内容添加到您的 .htaccess:
I use the following method to protect my .inc.php files. Add the following to your .htaccess:
您还可以尝试以下操作(许多开源包都这样做)
index.html
Options -Indexes
例如,这里是 Kohana 的 "丢弃无效访问”。它是所有 PHP 文件中的第一行。
这行基本上是说“如果没有通过定义 SYSPATH 的 index.php 包含,我们将中止脚本并显示一条友好的消息”
You could also try the following (a number of open source packages do this)
index.html
in every folderOptions -Indexes
For example, here is Kohana's "toss out invalid accesses". It is the first line in all PHP files.
This line basically says "if not included via index.php where SYSPATH is defined, we will abort script and show a friendly message"
如果它是文件名,您可以重定向
You could redirect if it is a filename