直接脚本访问终止
[英]Termination on direct script access
问题描述
I got over this kind of security measure in a bunch of php projects. 
我在许多php项目中克服了这种安全措施。 On top of every php file, there is a check if the script is invoked through direct access (eg via browser) or if it was properly included/required by the sites entry point: 在每个php文件的顶部,检查是否通过直接访问(例如,通过浏览器)调用了脚本或站点入口点是否正确包含/要求了该脚本:
if(!defined('SYSTEM_ENTRYPOINT'))
die();
Is this a good practice to use in php projects? 这是在php项目中使用的好习惯吗? What should I consider when doing so? 这样做时我应该考虑什么? Are there edge cases? 有边缘情况吗? What data could possibly be exposed when not checking this? 不检查时可能会暴露哪些数据?
1 个解决方案
解决方案1
3 已采纳 2015-08-22 21:05:57
You should handle that with URL rewrites. 您应该使用URL重写来处理。 Organize your php files in a way so the visitor cannot touch your program logic. 以某种方式组织您的php文件,以使访问者无法触及您的程序逻辑。
For example, separate your code into two dirs: web and src. 例如,将您的代码分成两个目录:web和src。 Web ahould contian only index.php ant htaccess file to route all requests to it. Web应该仅包含index.php和htaccess文件来将所有请求路由到该文件。 Src should all the program logic (controllers, db access abd so on). Src应该是所有程序逻辑(控制器,db访问abd等)。 Inside src/index.php, code some logic that will decide which controller from src folder to include. 在src / index.php内,编写一些逻辑,这些逻辑将决定要包括在src文件夹中的哪个控制器。
Make "web" directory your site's web root, and visitors won't be able to access any other php file. 将“ web”目录设置为站点的网络根目录,访问者将无法访问任何其他php文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.