如何使某些文件只能由 PHP 脚本访问?
我正在构建一个 CMS,主页 (index.php) 是由 CMS 目录中的许多小文件构建的。例如,结构可能是这样的:
index.php
menu/admin/content.php
config.php
requests.php
menu/tools/content.php
config.php
requests.php
menu/users/content.php
config.php
requests.php
当我访问根目录中的index.php时,根据$_GET参数,我得到不同的结果。例如,当我访问 index.php?section=tools 时,索引文件会加载 content、cofnig 和 requests< /code> 来自 menu/tools/ 文件夹的文件。
现在来说说问题。 index.php 页面本身仅可供登录用户访问,但出于安全原因,我想禁止任何其他人访问 menu 文件夹中的所有内容方式,而不是通过 php 的 include 函数。
为了演示可能发生的情况:如果我想删除某些内容,我使用 index.php?section=tools&delete=5,并在 menu/tools/requests.php 文件,我会检查是否设置了 $_GET['delete'] ,然后从数据库中删除 ID 5。现在的问题是,如果有人知道实际结构,他可以像这样访问 requests.php 文件:site.com/admin/menu/tools/requests.php ?delete=5,然后以这种方式破解该网站。
有没有办法防止这种可能的攻击?拒绝访问菜单文件夹中的文件,但仍然允许从我的index.php 文件访问它们?也许是htaccess?我真的不想对“菜单”文件夹中的每个文件进行检查(如果设置了会话/cookie),尽管这将是一个可能的解决方案。
I'm building a CMS and the main page (index.php) is being built up from a lot of small files in the CMS's directory. For example, the structure could be like this:
index.php
menu/admin/content.php
config.php
requests.php
menu/tools/content.php
config.php
requests.php
menu/users/content.php
config.php
requests.php
When I access the index.php in the root directory, I get a different result based on the $_GET parameters. For example, when I access index.php?section=tools, the index file loads up the content, cofnig and requests files from menu/tools/ folder.
Now to the problem. The index.php page itself is accessible just for the logged in users, but for security reasons, I'd like to disable everything in menu folder from being accessed by any other way, than by php's include function.
To demonstrate what could happen: If I want to delete something, I use index.php?section=tools&delete=5, and in the menu/tools/requests.php file, I would check if $_GET['delete'] is set and then delete ID of 5 from the DB. Now the problem is that, if someone knew the actual structure, (s)he could access the requests.php file like this: site.com/admin/menu/tools/requests.php?delete=5, and hack the site that way.
Is there a way to prevent this kind of possible attacks? Something to deny access for the files in menu folder, but still let them be accessed from my index.php file? Htaccess maybe? I really don't feel like putting a check (if session/cookie is set) to every single file in the 'menu' folder, although that would be a possible solution.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在您不想拒绝访问的文件夹中创建一个 .htaccess,其中包含以下内容:
不过,最好将该文件夹放在 Web 根目录之外。
Create a .htaccess in the folder(s) you wan't to deny access to containing the following:
The best would be to have the folder outside of the web root, though.
最好的方法是将
menu文件夹移动到网络服务器文档根目录之外的某个位置。这样,就没有 URL 映射到menu/tools/requests.php,而您唯一的安全问题就是在index.php中执行的操作The best way is to move the
menufolder to somewhere outside the document root of the webserver. That way, no URL maps tomenu/tools/requests.phpand your only safety concern is what you do inindex.php首先,如果有人手动添加 GET 参数并“破解”该网站,就会出现问题。在脚本中,您应该验证尝试执行这些操作的用户的身份验证,如果他们通过了身份验证,那么应该没有问题。我认为任何人都不会在通过 GET 参数删除某些内容时遇到问题,因为他们可以自己在界面上执行此操作。
有您要求的解决方案,但它们各自有自己的担忧...
CodeIgniter 通过设置一个变量来工作,然后在每个脚本的头部,
您还可以检查 $_SERVER['SCRIPT_FILENAME'], $_SERVER[' SCRIPT_NAME'] 或 $_SERVER['PHP_SELF'] 查看其是否为index.php,否则退出。
First off, if someone were to manually add the GET arguments and "hack" the site there is a problem. In the script, you should be verifying the authentication of the user trying to perform these actions, and if they are authenticated then there should be no problem. I don't think anyone is going to cause problems deleting something via GET param, when they can do it on the interface themselves.
There are solutions the way you asked, but they each have their own concerns...
CodeIgniter works by setting a variable, and then on the head of each script,
You could also check $_SERVER['SCRIPT_FILENAME'], $_SERVER['SCRIPT_NAME'] or $_SERVER['PHP_SELF'] to see if its index.php, else exit.