PHP写入服务器上的文本文件
[英]PHP writing to a text file on server
问题描述
I have a log process that writes to a little custom .txt log file on my server when people supply input on a particular form (so I can keep an eye on those who are trying to use injection). 
我有一个日志进程,当人们以特定形式提供输入时,该进程会在服务器上写入一个小的自定义.txt日志文件(因此,我可以密切注意那些尝试使用注入的人)。
My question: This file is plaintext, and I do not link to it anywhere in my code other than the PHP calls file_get_contents and file_put_contents . 我的问题:这个文件是纯文本,除了PHP调用file_get_contents和file_put_contents之外,我没有在代码中链接到该文件。 Is there any way to see the file? 有什么办法看文件吗? Would a search engine possibly find it? 搜索引擎可能会找到它吗?
(I fully understand that this is security by obscurity. My question is how one might possibly "unobscure" this.) (我完全理解这是默默无闻的安全。我的问题是人们可能如何“模糊不清”这一点。)
2 个解决方案
解决方案1
2 2014-06-27 03:59:23
To make it inaccessible from the web or search engines you would simply put that file out site of your web root directory. 要使其从Web或搜索引擎无法访问,您只需将该文件放在Web根目录的站点之外。 Be sure to have write permission on that folder :) 确保对该文件夹具有写权限:)
解决方案2
2 已采纳 2014-06-27 04:00:25
I fully understand that this is security by obscurity.
They would need to be able to know your site's code structure & logic. 他们将需要能够了解您网站的代码结构和逻辑。 So if you name the directory the logs are stored in something other than logs/ that is the first decent step. 因此,如果您命名目录,则日志将存储在logs/以外的其他位置,这是第一步。 Or keep the directory named logs/ but have it nested in another directory only you really know about such as my_cool_stuff/logs . 或保留名为logs/的目录,但将其嵌套在只有您真正了解的另一个目录中,例如my_cool_stuff/logs 。
If you really want to be sure nobody get's to it, you can always set an Apache config rule that would block anyone from directly reading .txt files directly from the browser, just use an Apache Files directive like this in your web site's Apache config or in an .htaccess on your site: 如果您确实想确保没有人了解它,可以随时设置一个Apache配置规则,该规则将阻止任何人直接从浏览器直接读取.txt文件,只需在您网站的Apache配置中使用像这样的Apache Files指令,或者在您网站上的.htaccess :
<Files ~ "\.(txt|yml|yaml)$">
Order allow,deny
Deny from all
</Files>
And as the official Apache documentation states about placement of Files directives: 并且正如Apache的官方文档所述有关Files伪指令的放置:
Note that unlike
<Directory>and<Location>sections,<Files>sections can be used inside.htaccessfiles.<Directory>和<Location>部分不同,可以在.htaccess文件中使用<Files>部分。 This allows users to control access to their own files, at a file-by-file level.
So just place that in an .htaccess file on your server's root and it basically tells Apache, “Do not allow anyone to directly access files that end with a .txt , .yml or .yaml extension directly via the web server.” 因此,只需将其放置在服务器根目录下的.htaccess文件中,它基本上会告诉Apache: “不允许任何人直接通过Web服务器直接访问以.txt , .yml或.yaml扩展名结尾的文件。”
Now some people will recommend you simply place the file 100% outside of the main web root. 现在,有些人会建议您仅将文件100%放置在主Web根目录之外。 And maybe this would help. 也许这会有所帮助。 But let's say some malware infection gets into your code & someone can just browse your directory structure—which happens more than not—then it doesn't matter what virtual rock you hide your data under: It will be exposed to someone who can penetrate your system & have the same access rights as the web user. 但是,假设有一些恶意软件感染进入您的代码,并且有人可以浏览您的目录结构(这种情况发生的不止如此),那么,将数据隐藏在哪个虚拟岩石下都没有关系:它将被暴露给可以渗透您的数据的人系统并具有与Web用户相同的访问权限。
Or put simply: If Apache can access a directory & read a file, then if your site is penetrated, then the malware that penetrates will have the exact same access rights as Apache & thus can read files & directories pretty much anywhere Apache can. 或简单地说:如果Apache可以访问目录并读取文件,则如果您的站点被入侵,则渗透的恶意软件将具有与Apache完全相同的访问权限,因此可以在Apache可以访问的几乎任何地方读取文件和目录。
That's why I generally feel “security through reasonable obscurity” is the best real world tactic. 这就是为什么我通常认为“通过合理的模糊处理获得安全性”是现实生活中最好的策略。 Just block direct access to files you do not want parsed through the web browser, place those files in a reasonably obscure location—even if it is in the web root—and call it a day. 只是阻止对您不想通过Web浏览器解析的文件的直接访问,将这些文件放置在一个相当隐蔽的位置(即使它位于Web根目录中),并称之为一天。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.