安全的php主机名信息 - $ _SERVER ['HTTP_HOST']替代方案
[英]secure php host name information - $_SERVER['HTTP_HOST'] alternative
问题描述
I have a public facing debug script that I would only like to run on certain dev boxes, I was hoping to do this programatically inside this script, by detecting the server ip or name- 
我有一个面向公众的调试脚本,我只想在某些开发盒上运行,我希望通过检测服务器的ip或名称,在这个脚本中以编程方式执行此操作。
So I have a question about the security of $_SERVER and $_SERVER['HTTP_HOST'] in particular. 所以我对$ _SERVER和$ _SERVER ['HTTP_HOST']的安全性有一个疑问。
From this: http://shiflett.org/blog/2006/mar/server-name-versus-http-host blog post I have gathered that this var is pretty insecure, and can't be trusted. 从这里: http : //shiflett.org/blog/2006/mar/server-name-versus-http-host博客文章我收集到这个var非常不安全,不可信任。
What is the best way to find out from php what box you are currently on? 从php中找出你目前所在的盒子的最佳方法是什么?
I thought of using FILE , since that seems to be pretty secure, but I'm not sure I have enough info just from the file path. 我想过使用FILE ,因为它似乎非常安全,但我不确定我是否从文件路径中获得了足够的信息。
I don't necessarily need the server name, even ip would be fine. 我不一定需要服务器名称,即使ip也没关系。
thanks in advance. 提前致谢。
4 个解决方案
解决方案1
2 2011-02-17 01:57:58
The best method is to explicitly define the machine by placing an environment config file on it and checking for it: 最好的方法是通过在其上放置环境配置文件并检查它来显式定义机器:
if (file_exists('environment.php')) {
include 'environment.php';
}
This file could contain just the name of the machine you're on, or configuration settings like $debug = 0 or whatever else you want to customize for specific machines. 此文件可能只包含您所在机器的名称,或者配置设置,如$debug = 0或您要为特定计算机自定义的任何其他设置。
解决方案2
2 2011-02-17 02:17:41
The best way? 最好的方法? It depends on the level of control you have on your environment. 这取决于您对环境的控制程度。 Here are some options: 以下是一些选项:
Set an environmental variable via the webserver to indicate the box.
通过Web服务器设置环境变量以指示该框。 if (getenv('env_server') == 'production')This is nice, since there's no files that you need to worry about.
这很好,因为没有你需要担心的文件。 Just the webserver configuration. 只是网络服务器配置。 Set a file in a "known" place on the server, and check that (one file for the entire server).
在服务器上的“已知”位置设置文件,并检查(整个服务器的一个文件)。 require('/path/to/environment.php');That file should define a constant to determine the environment.
该文件应定义一个常量来确定环境。 Manually configure each application for the server.
手动配置服务器的每个应用程序。 This is the easiest to do, since it doesn't require anything on the server side, but it's also the least convenient since you need to manually configure each install... 这是最容易做到的,因为它在服务器端不需要任何东西,但它也是最不方便的,因为你需要手动配置每个安装...... External IP address used to get to the site:
用于访问站点的外部IP地址: This is nice since it requires no additional configuration on the server side.
这很好,因为它不需要在服务器端进行额外配置。 But it will require you to keep a map of all active IP addresses, and the servers they are bound to (especially since more than 1 IP can point to the same server)... 但它需要您保留所有活动IP地址及其绑定的服务器的映射(特别是因为多于1个IP可以指向同一服务器)...
解决方案3
0 2011-02-17 01:56:13
What is the best way to find out from php what box you are currently on?
$_SERVER["SERVER_NAME"] will usually be fine. $_SERVER["SERVER_NAME"]通常会没问题。 The security problems Chris outlines need very, very specific circumstances to work. Chris概述的安全问题需要非常非常具体的工作环境。
$_SERVER["SERVER_ADDR"] would be an alternative, too. $_SERVER["SERVER_ADDR"]也是一种替代品。
Other than that, I would tend to go with __FILE__ if there is any chance of getting a hint from the path. 除此之外,如果有机会从路径中获得提示,我倾向于使用__FILE__ 。
解决方案4
0 2011-02-17 01:59:04
You could use exec() to run a shell command. 您可以使用exec()来运行shell命令。
echo exec('hostname');
This can get the IP address on OS X, may be platform specific. 这可以获得OS X上的IP地址,可能是特定于平台的。
echo exec('ifconfig | grep "inet " | grep -v 127.0.0.1 | cut -d\ -f2');
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.