如何安全地压缩php文件
我发现这段代码可以使 php 文件缓存并压缩。下面是我的代码。
<?php if (substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip')) ob_start("ob_gzhandler"); else ob_start(); ?>
我还发现了另一个代码,看起来效果很好
<?php
if (substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip'))
if(extension_loaded('zlib')){
ob_start('ob_gzhandler');
}
header ('content-type: text/html; charset: UTF-8');
header ('cache-control: must-revalidate');
$offset = 60 * 60 * 24;
$expire = 'expires: ' . gmdate ('D, d M Y H:i:s', time() + $offset) . ' GMT';
header ($expire);
ob_start('compress');
function compress($buffer) {
$buffer = preg_replace('!/\*[^*]*\*+([^/][^*]*\*+)*/!', '', $buffer);
return $buffer;
}?>
但是,当使用 $_SERVER 时,据我所知这将是该网站的一个安全漏洞。谁能告诉我如何安全地编写上述代码,我的意思是不能进行sql注入
谢谢
I have found this code to make php file cache and compress. Below is my code.
<?php if (substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip')) ob_start("ob_gzhandler"); else ob_start(); ?>
I've found another codes as well, which seems works well
<?php
if (substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip'))
if(extension_loaded('zlib')){
ob_start('ob_gzhandler');
}
header ('content-type: text/html; charset: UTF-8');
header ('cache-control: must-revalidate');
$offset = 60 * 60 * 24;
$expire = 'expires: ' . gmdate ('D, d M Y H:i:s', time() + $offset) . ' GMT';
header ($expire);
ob_start('compress');
function compress($buffer) {
$buffer = preg_replace('!/\*[^*]*\*+([^/][^*]*\*+)*/!', '', $buffer);
return $buffer;
}?>
But, when using the $_SERVER, as far as I know it will be a security hole for the site. Can anybody tell me how can I write the above codes securely, I mean not be able to do sql injection
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您提供的代码不包含SQL语句,因此至少在这部分代码中您不必担心SQL注入。如果您在其他地方实施 SQL 语句,那么您当然必须采取必要的预防措施。
只要“substr_count”的 PHP 实现不易受到攻击,使用 $_SERVER 也不应该成为问题。如果客户端发送的HTTP_ACCEPT_ENCODING-Header中包含“gzip”,则进行压缩,否则不进行压缩。只要您不以任何其他方式使用 $_SERVER['HTTP_ACCEPT_ENCODING'] 中的值,这似乎就可以保存。
正如 schizodactyl 已经说过的,有更好的方法来处理压缩。
The code you provided does not contain SQL-statements, so you do not have to worry about SQL-injection at least in this part of the code. If you implement SQL-statements elsewhere, you must take the necessary precautions of course.
Using $_SERVER shouldn't be a problem either, as long as the PHP-implementation of "substr_count" is not vulnerable. If the HTTP_ACCEPT_ENCODING-Header sent by the client contains "gzip", you will perform compression, otherwise you don't. As long as you do not use the value from $_SERVER['HTTP_ACCEPT_ENCODING'] in any other way, this seems to be save.
And as schizodactyl already said, there are better ways to handle compression.
遗憾的是,但整个问题毫无意义。
所以,我建议你删除这段代码,这是没有必要的。
Sad to say, but whole question makes no sense.
So, I'd suggest you to just get rid of this code, it's all unnecessary.
您不可能在此页面上进行任何 SQL 注入,因为您不是在与数据库对话。
但是,您根本不需要检查 $_SERVER 变量。
只需将
ob_start('ob_gzhandler');放在页面顶部即可。在不同的层处理 gzip 可能会更好(您可以在 php.ini 中启用 zlib 压缩,或者由您的 Web 服务器本身处理它),但如果您想在 php 中执行此操作,则几乎不需要这样做那么多工作。
You can't possibly have any SQL injection on this page, you aren't talking to a database.
However, you do not need to check the $_SERVER variable at all.
Just put
ob_start('ob_gzhandler');at the top of your page, and you'll be fine.It is probably better to handle gzip at a different layer (you can enable zlib compression in php.ini, or have it handled by your web server itself), but if you want to do it in php you don't have to do nearly that much work.