安全的 php 主机名信息 - $_SERVER['HTTP_HOST'] 替代方案
我有一个面向公众的调试脚本,我只想在某些开发盒上运行,我希望通过检测服务器 IP 或名称,在该脚本内以编程方式执行此操作 -
所以我对 $_SERVER 的安全性有疑问,并且特别是 $_SERVER['HTTP_HOST'] 。
从此: http://shiflett.org/blog/2006/ mar/server-name-versus-http-host 博客文章 我发现这个变量非常不安全,并且不可信。
从 php 中找出您当前所在的框的最佳方法是什么?
我想到使用 FILE ,因为这似乎非常安全,但我不确定我是否从文件路径中获得了足够的信息。
我不一定需要服务器名称,甚至 ip 也可以。
提前致谢。
I have a public facing debug script that I would only like to run on certain dev boxes, I was hoping to do this programatically inside this script, by detecting the server ip or name-
So I have a question about the security of $_SERVER and $_SERVER['HTTP_HOST'] in particular.
From this: http://shiflett.org/blog/2006/mar/server-name-versus-http-host blog post I have gathered that this var is pretty insecure, and can't be trusted.
What is the best way to find out from php what box you are currently on?
I thought of using FILE , since that seems to be pretty secure, but I'm not sure I have enough info just from the file path.
I don't necessarily need the server name, even ip would be fine.
thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
最好的方法是什么?这取决于您对环境的控制程度。以下是一些选项:
通过网络服务器设置环境变量来指示该框。
这很好,因为您无需担心任何文件。只需网络服务器配置。
在服务器上的“已知”位置设置一个文件,并检查该文件(整个服务器的一个文件)。
该文件应该定义一个常量来确定环境。
手动配置服务器的每个应用程序。这是最容易做到的,因为它不需要服务器端的任何东西,但它也是最不方便的,因为您需要手动配置每个安装...
用于访问站点的外部 IP 地址:< /p>
$_SERVER['SERVER_ADDR']这很好,因为它不需要在服务器端进行额外的配置。但它会要求您保留所有活动 IP 地址及其绑定服务器的映射(特别是因为超过 1 个 IP 可以指向同一服务器)...
The best way? It depends on the level of control you have on your environment. Here are some options:
Set an environmental variable via the webserver to indicate the box.
This is nice, since there's no files that you need to worry about. Just the webserver configuration.
Set a file in a "known" place on the server, and check that (one file for the entire server).
That file should define a constant to determine the environment.
Manually configure each application for the server. This is the easiest to do, since it doesn't require anything on the server side, but it's also the least convenient since you need to manually configure each install...
External IP address used to get to the site:
$_SERVER['SERVER_ADDR']This is nice since it requires no additional configuration on the server side. But it will require you to keep a map of all active IP addresses, and the servers they are bound to (especially since more than 1 IP can point to the same server)...
最好的方法是通过在机器上放置环境配置文件并检查它来显式定义机器:
该文件可以仅包含您所在机器的名称,或诸如
$debug = 0 或您想要为特定机器定制的任何其他内容。The best method is to explicitly define the machine by placing an environment config file on it and checking for it:
This file could contain just the name of the machine you're on, or configuration settings like
$debug = 0or whatever else you want to customize for specific machines.$_SERVER["SERVER_NAME"]通常没问题。克里斯概述的安全问题需要非常非常具体的环境才能发挥作用。$_SERVER["SERVER_ADDR"]也是一种替代方案。除此之外,如果有机会从路径中获得提示,我倾向于使用
__FILE__。$_SERVER["SERVER_NAME"]will usually be fine. The security problems Chris outlines need very, very specific circumstances to work.$_SERVER["SERVER_ADDR"]would be an alternative, too.Other than that, I would tend to go with
__FILE__if there is any chance of getting a hint from the path.您可以使用 exec() 来运行 shell 命令。
这可以获取 OS X 上的 IP 地址,可能是特定于平台的。
You could use
exec()to run a shell command.This can get the IP address on OS X, may be platform specific.