防止跨域包含在PHP中
[英]Prevent cross-domain include in PHP
问题描述
I imagine this question has already been asked but I can't find it, so I am sorry for the eventual duplicate. 
我想这个问题已经被问到了,但是我找不到,所以对最后的重复很抱歉。 I have only found the opposite. 我只发现相反的情况。
How do I prevent cross domain includes in PHP? 如何防止跨域包含在PHP中? Is a preg_match of the $_SERVER["HTTP_REFERER"] enough? $_SERVER["HTTP_REFERER"]的preg_match是否足够? My guess is no. 我的猜测不是。 What is the option, if any, on the php.ini to prevent this? 为了防止这种情况, php.ini上的选项是什么?
Thank you. 谢谢。
2 个解决方案
解决方案1
3 已采纳 2013-09-13 06:47:51
This is already impossible, hence you do not need to worry about it. 这已经是不可能的,因此您不必担心。 PHP Source code includes are not processed over HTTP . PHP包含的源代码无法通过HTTP处理。 They can be only included if on same server. 仅当它们在同一服务器上时,才可以包括它们。 No one can include your PHP source file in their website by just using its url. 没有人可以仅使用其URL将PHP源文件包含在其网站中。 Both the scripts have to be on same server 这两个脚本必须在同一服务器上
If a PHP source file is included over HTTP, the including party will only see the output generated by the PHP file, not its source code. 如果通过HTTP包含PHP源文件,则包含方将仅看到PHP文件生成的输出,而不是其源代码。
In fact, even you yourself cannot include() your PHP source file using HTTP even if both the files are on same server. 实际上,即使您自己也无法使用HTTP include() PHP源文件,即使两个文件都在同一服务器上。 Anything that goes through HTTP with a properly working PHP Enabled webserver will not send the source code out to client. 任何通过HTTP正常运行且已启用PHP的Web服务器的任何操作都不会将源代码发送到客户端。
Example: 例:
Let's say you have a website example.com and you are on index.php and you have to include sources.php which resides in the same directory. 假设您有一个example.com网站,并且位于index.php并且必须包含位于同一目录中的sources.php 。 If you try 如果你试试
include("sources.php"); //or "/path/to/your/root/sources.php"
This will work as expected and source code will be included. 这将按预期工作,并将包含源代码。 But if you try 但是如果你尝试
include("http://www.example.com/sources.php");
This will NOT include any source code from sources.php into your index.php , even though you own both files, they are on same server. 即使您同时拥有这两个文件,它们也不会包含来自sources.php任何源代码到您的index.php ,即使它们都在同一服务器上。 This is because when its served via HTTP, the code has already been processed and a properly configured php enabled web server will not send out php source code. 这是因为当通过HTTP提供服务时,代码已被处理,并且正确配置的启用php的网络服务器将不会发送php源代码。
解决方案2
0 2013-09-13 06:47:40
You can't stop people downloading your HTTP resources and using them however they like. 您不能阻止人们下载您的HTTP资源并随意使用它们。 (Note they can only include the output of your program, not the PHP source code). (请注意,它们只能包含程序的输出 ,而不能包含PHP源代码)。
You can put barriers in the way (such as checking the user agent string in the HTTP request), but they are easy to bypass. 您可以设置障碍(例如检查HTTP请求中的用户代理字符串),但是它们很容易被绕开。
php.ini has no setting to prevent this. php.ini没有设置可以防止这种情况。 It allows you to disable the ability of scripts running on your server from including content over HTTP, but not from being included. 它可以让你用来禁止包括通过HTTP内容服务器上运行脚本的能力,但没有被包括在内。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.