如何防止PHP文件被下载? 有人可以通过哪些方式下载它们?
[英]How to prevent PHP files from being downloaded? And what are some ways someone can download them?
问题描述
How do i prevent php files from being downloaded "illegally" like through the browser.
我如何防止通过浏览器“非法”下载 php 文件。 And what are some ways someone can use to download the php files?有人可以使用哪些方法来下载 php 文件?
5 个解决方案
解决方案1
14 已采纳 2010-09-13 18:58:51
You can't really avoid files from being downloaded if your application is not secure.如果您的应用程序不安全,您就无法真正避免下载文件。 The following example allows a malicious user to view any file on your server:以下示例允许恶意用户查看您服务器上的任何文件:
<?php
readfile($_GET['file']);
?>
If you want to prevent Apache from exposing the source code if something is wrong with PHP, add this in your httpd.conf / .htaccess:如果您想在 PHP 出现问题时阻止 Apache 暴露源代码,请在您的 httpd.conf / .htaccess 中添加:
# In case there is no PHP, deny access to php files (for safety)
<IfModule !php5_module>
<FilesMatch "\.(php|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>
</IfModule>
# the following should be added if you want to parse .php and .phtml file as PHP
# .phps will add syntax highlighting to the file when requesting it with a browser
<IfModule php5_module>
AddType text/html .php .phtml .phps
AddHandler application/x-httpd-php .php .phtml
AddHandler application/x-httpd-php-source .phps
</IfModule>
解决方案2
11 2010-09-13 18:58:44
Under normal circumstances, nobody is able to download PHP source code, since it is executed on the server.通常情况下,没有人能够下载 PHP 源代码,因为它是在服务器上执行的。 The webserver recognizes PHP scripts and passes them to PHP.网络服务器识别 PHP 脚本并将它们传递给 PHP。 The result is then passed back to the browser of the requesting user.然后将结果传递回请求用户的浏览器。 The situation you described can only be achieved, if the webserver configuration is really messed up.你描述的情况只能实现,如果网络服务器配置真的搞砸了。
解决方案3
2 2012-05-08 08:52:45
<?php
header('Content-disposition: attachment; filename=http://www.victim.com/phpfile.php');
header('Content-type: application/pdf');
readfile('http://www.victim.com/phpfile.php');
?>
解决方案4
1 2014-04-24 00:50:58
Under normal circumstances, nobody is able to download PHP source code (same as the other answer), But if you have a file with a different extension example : page1.bak and you have a page1.php, the page.bak gets downloaded if you just put in the url ht..//.../page1在正常情况下,没有人能够下载 PHP 源代码(与其他答案相同),但是如果您有一个具有不同扩展名示例的文件:page1.bak 并且您有一个 page1.php,则 page.bak 将被下载,如果你只需输入网址 ht..//.../page1
I have confirmed this with PHP version 5.3.10-1ubuntu3.2 and Apache/2.2.22 In summary avoid putting your config or test files in the production directory unless you want them to be downloaded in raw state.我已经用 PHP 版本 5.3.10-1ubuntu3.2 和 Apache/2.2.22 确认了这一点 总之,除非您希望它们以原始状态下载,否则避免将您的配置或测试文件放在生产目录中。
The Option Multiview should also be disabled in apache2.conf or httpd.conf to avoid defaulting to returning "near-like" filename.还应在 apache2.conf 或 httpd.conf 中禁用 Option Multiview 以避免默认返回“near-like”文件名。
解决方案5
1 2017-07-12 14:00:23
You never download the php file from a web server running php.您永远不会从运行 php 的 Web 服务器下载 php 文件。 You can donwload the HTML delivered from the php like in this answer.您可以像this answer一样下载从php提供的HTML。 You don't get php script you get HTML + JavaScript (if some)你没有得到 php 脚本,你得到了 HTML + JavaScript(如果有的话)
<?php
header('Content-disposition: attachment;
filename=http://www.victim.com/phpfile.php');
header('Content-type: application/pdf');
readfile('http://www.victim.com/phpfile.php');
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.