如何保护PHP文件?
[英]How to secure PHP file?
问题描述
I have made a PHP code.
我已经制作了一个 PHP 代码。 (myphp.php) (myphp.php)
if(count($_GET) === 1 && isset($_GET['secretcode'])) {
echo "my personal data";
}
else{
echo "Not Found"
}
So ,user need to browse something like " http://server.com/myphp.php?secretcode " in order to view the PHP.因此,用户需要浏览诸如“ http://server.com/myphp.php?secretcode ”之类的内容才能查看 PHP。
The question is, does it safe to do this?问题是,这样做安全吗? Can someone bypass the PHP?有人可以绕过PHP吗? If so,how to make it more secure?如果是这样,如何使其更安全?
Something like this might work像这样的事情可能会奏效
//.htaccess
<Files *.php>
Deny from All
</Files>
But I want everyone can access it only if they entered the correct parameter.但我希望每个人只有输入正确的参数才能访问它。
Thanks.谢谢。
1 个解决方案
解决方案1
0 已采纳 2017-01-08 23:43:02
Depending on how sensitive your information is, no, this is not secure .根据您的信息的敏感程度,不,这不安全。
If it is only a sonnet that you wrote which you do not want other people to read, it may be good enough.如果只是自己写的十四行诗,不想让别人看,那可能就够了。 If it is your personal bank account information then this is terrible security.如果这是您的个人银行帐户信息,那么这是非常糟糕的安全性。
GET parameters are apart of the URL, and URLs that you access are logged and stored on third party servers such as your ISP's, as well as their upstream providers. GET 参数是 URL 的一部分,您访问的 URL 被记录并存储在第三方服务器上,例如您的 ISP 及其上游提供商。 If you happen to access this URL on an open WiFi then anyone else on that network will be able to see what URLs you are visiting and will result in your "secret" URL leaking.如果您碰巧在开放式 WiFi 上访问此 URL,则该网络上的其他任何人都将能够看到您正在访问的 URL,这将导致您的“秘密”URL 泄露。 If you try to funnel your access through a proxy you may protect the secret code from those people, but you just leaked that information to the proxy instead.如果您尝试通过代理进行访问,您可能会保护这些人的密码,但您只是将该信息泄露给了代理。
You may be able to mitigate this to some extent by only browsing to your secret URL over HTTPS, but even then you may accidentally visit it when on a network for which an administrator has a root certificate installed on your machine (such as an employer's laptop), in which case your secret is now out.您可以通过仅通过 HTTPS 浏览您的秘密 URL 来在一定程度上缓解这种情况,但即便如此,当您在管理员在您的计算机上安装了根证书的网络(例如雇主的笔记本电脑)上时,您可能会意外访问它),在这种情况下,您的秘密现已泄露。 You will also in general not be able to protect what domain you are visiting regardless of whether you are using SSL/TLS or not.无论您是否使用 SSL/TLS,您通常也无法保护您正在访问的域。
As @chris85 mentioned in his comment, you aren't really checking if the secret is correct.正如@chris85 在他的评论中提到的,你并没有真正检查秘密是否正确。 All I need to access your secret information is just the parameter name since you are not also checking that the value equals something.我访问您的秘密信息所需的只是参数名称,因为您还没有检查该值是否等于某值。
You may run into usability issues in your own usage as well.您也可能在自己的使用中遇到可用性问题。 Your protection will deny you access if you ever need to use more than 1 query parameter other than your "secret" code.如果您需要使用超过 1 个查询参数而不是您的“秘密”代码,您的保护将拒绝您访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.