错误或 php + mysql代码显示给用户。可以提取哪些信息以及如何防止这种情况?
我在 Xampp 上使用 eclass 平台。当您直接访问 www.domain.com/eclass/document.php 这样的文件而不遵循整个站点导航时,您会得到这个。
用户可以提取哪些信息,如何避免它,这对系统有多大危害?
1146: Table 'eclass.accueil' doesn't exist
select `id` from accueil
where visible=1 AND lien NOT LIKE '%/user.php'
ORDER BY rubrique
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\xampp\htdocs\eclass\include\init.php on line 310
Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\eclass\include\lib\main.lib.php:61) in C:\xampp\htdocs\eclass\include\baseTheme.php on line 60
I am using an eclass platform on Xampp. When you go directly to a file like www.domain.com/eclass/document.php and not follow the through-the-site navigation you get this.
What info can be extracted by a user, how to avoid it and how much is this harmful to the system ?
1146: Table 'eclass.accueil' doesn't exist
select `id` from accueil
where visible=1 AND lien NOT LIKE '%/user.php'
ORDER BY rubrique
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\xampp\htdocs\eclass\include\init.php on line 310
Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\eclass\include\lib\main.lib.php:61) in C:\xampp\htdocs\eclass\include\baseTheme.php on line 60
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
除了其他人已经提到的内容之外:
您可以检查访问者是否直接请求该文件,或者他是否正在“以正常方式”访问该文件。在所有 php 文件中包含某种形式的授权。如果用户未经授权,则将用户重定向到主页。
您可以使用 .htaccess 来保护文件不被直接访问
Apart from what others have already mentioned:
You could check if the visitor is making a direct request of the file, or if he is accessing it "the normal way." Include some form of authorisation in all your php files. Redirect users to main page if they are not authorised.
You could use .htaccess to protect files from direct access
这可能会被用来发现安全漏洞。
每当 mysql_query 失败时,您可以通过抛出异常来轻松避免这种情况,当然也可以捕获异常;)
您还可以捕获警告。请参阅
set_error_handler和set_exception_handlerThis could potentially be used to find holes in your security.
You can easily avert this by throwing an Exception whenever a mysql_query fails, and catching the Exception of course ;)
You can also catch warnings. See
set_error_handlerandset_exception_handler这会公开您的数据库结构(部分)和文件系统结构。它将允许技术熟练的用户研究您正在使用的系统的已知漏洞,但结果可能很糟糕。
更新您的 php.ini 以关闭
display_errors并重新启动 XAMPP,这样应该可以防止这种情况发生。This exposes both (part of) your database structure and also your filesystem structure. It would allow for a technically sophisticated user to research known exploits for the system you are using, and could end poorly.
Update your php.ini to turn
display_errorsoff, and restart XAMPP, and it should prevent this from happening.