堆栈内存溢出
  简体   繁体   English

将某些php文件限制为仅能够访问特定变量

[英]Restricting certain php files to just being able to access specific variables

 原文  2013-08-28 18:51:03       php/ security/ web-applications

问题描述

In my webapp I allow my enterprise customers to completely customize one of their weppages. 在我的webapp中,我允许企业客户完全自定义其wepage中的一种。 But these webpages are still part of my webapplication and are hosted on my server. 但是这些网页仍然是我的Web应用程序的一部分,并托管在我的服务器上。

My customers should be able to completely design their webpage with CSS, HTML and Javascript. 我的客户应该能够使用CSS,HTML和Javascript完全设计他们的网页。 And I also want to give them access to specific dynamic variables. 而且我也想让他们访问特定的动态变量。 I have 3 different options to give them access to these variables: 我有3个不同的选项可让他们访问这些变量:

  • Using str_replace, so that I just replace certain variable-names in their webpage with the corresponding dynamic value 使用str_replace,以便我只用相应的动态值替换其网页中的某些变量名
  • Using some kind of template engine like smarty, which they can use within their webpage 使用诸如smarty之类的模板引擎,他们可以在自己的网页中使用
  • Using PHP itself, so that they can use certain php variables 使用PHP本身,以便他们可以使用某些php变量

I actually think the third option is the best, because PHP already works great as a templage engine. 实际上,我认为第三个选择是最好的,因为PHP作为模板引擎已经可以很好地工作了。 But If I just let them upload anykind of php fil,e my customers could also call functions and fire database queries, because their code has permission limitation. 但是,如果我让他们上载任何类型的php fil,我的客户也可以调用函数并触发数据库查询,因为他们的代码具有权限限制。

Is there anyway to use a php-file, but just give this php file access to a certain amount of predefined variables? 无论如何,有没有使用php文件的方法,但是只允许该php文件访问一定数量的预定义变量? Especially without the permission to do database-querys, reading global-variables, saving content to the server or any other actions that could cause security issues. 尤其是在未经许可的情况下,无法执行数据库查询,读取全局变量,将内容保存到服务器或任何其他可能导致安全问题的操作。

1 个解决方案

解决方案1
 1  2013-08-28 19:39:26

A template engine is the way to go. 模板引擎是必经之路。 Securing PHP would be quite hard, if not impossible. 保护PHP相当困难,即使不是不可能的。 I do not know your scenario, or your clients, but in my experience they abuse such an opportunity much more than they use it. 我不知道您的情况或您的客户,但是根据我的经验,他们滥用这种机会的程度远远超过了利用机会的机会。 Thats even more true, if they have no database access, as that would be the only real reason to have PHP. 如果他们没有数据库访问权限,那就更是如此,因为那是拥有PHP的唯一真实原因。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在php错误中限制对特定用户的访问 - restricting access to specific users in php error 如果不是来自某些引用PHP,则限制访问 - Restricting access if not coming from certain referer(s) PHP 限制对特定页面的访问 - Restricting access to specific pages 限制对特定页面的访问 - Restricting the access to specific pages 限制对php文件的访问 - Restricting access to php file 在PHP中限制IFRAME访问 - Restricting IFRAME access in PHP 无法从PHP访问全局数组 - Not being able to access global array from in php PHP限制对网页的访问 - PHP Restricting Access to web pages PHP:限制对最终页面的访问 - PHP: Restricting access to the final page 限制直接访问php文件 - Restricting direct access to php file
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM