[英]Why should I not put my PHP files in the public_html folder?
Some days ago someone criticize me about putting my application scripts inside public_html
folder. 几天前有人批评我把我的应用程序脚本放在
public_html
文件夹中。 Until then I thought that the the 755
file permission would be enough to keep my code from being read instead of executing. 在那之前,我认为
755
文件权限足以使我的代码不被执行而不是执行。
I don't like the idea that nowadays a lest half of our application logic is public for the eyes in the form of JavaScript
and they come from the public folder. 我不喜欢这样的想法,即现在我们的应用程序逻辑的一半是以
JavaScript
的形式公开的,它们来自公共文件夹。 But what is the real threat about the PHP scripts? 但是PHP脚本的真正威胁是什么?
The difference is typically that JavaScript code is untrusted code (or at least it should be, since it's running on the client), whereas PHP code is usually considered trusted code (since it runs on the server where it can't be directly interfered with by users). 差异通常是JavaScript代码是不受信任的代码(或者至少它应该是,因为它在客户端上运行),而PHP代码通常被认为是可信代码(因为它在服务器上运行,不能直接干扰用户)。
As such, someone discovering a hole in PHP source often has access to much greater privileges if they can exploit it than someone who discovers a hole in JavaScript code, since they can get PHP to run something server-side. 因此,发现PHP源代码漏洞的人通常可以获得更多的权限,如果他们可以利用它而不是发现JavaScript代码漏洞的人,因为他们可以让PHP运行服务器端的东西。
Now, while security through obscurity should not be your primary means of securing your code - it's always best to not have security holes in the first place - it's also generally not a good idea to make it easier for an attacker to locate a hole that somehow got introduced. 现在,虽然通过默默无闻的安全性不应该是保护代码的主要手段 - 但最好不要首先出现安全漏洞 - 让攻击者更容易找到某个漏洞通常也不是一个好主意。得到了介绍。 Keeping things out of the non-script serving root helps prevent accidents ("oops, I accidentally disabled PHP, everyone who requests a page gets the source code instead") from occurring.
将事情从非脚本服务根目录中删除有助于防止事故发生(“oops,我意外地禁用了PHP,每个请求页面的人都获得了源代码”)。
Furthermore, server-side files may include things like configuration data that is not meant to be public - internal network addresses, database info, et cetera (though it's also a good idea to keep things like credentials separate from your PHP code as well). 此外,服务器端文件可能包括不打算公开的配置数据 - 内部网络地址,数据库信息等等(尽管将凭证等内容与PHP代码分开也是一个好主意)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.