堆栈内存溢出
  简体   繁体   English

通过将包含文件保存在公用文件夹之外来提高PHP的安全性?

[英]Better security of PHP by keeping include files outside the public folder?

 原文  2011-10-15 15:46:23       php/ security/ code-access-security

问题描述

Languages such as Perl, Pythong, etc are usually considered to have a better security comparing with PHP. 与PHP相比,Perl,Pythong等语言通常被认为具有更好的安全性。 Apart from possible security holes, one reason can be (I do not know, I am asking) that we do not put the executable files of Perl and Python within public folder. 除了可能的安全漏洞之外,有一个原因(我不知道,我要问)我们不会将Perl和Python的可执行文件放在公共文件夹中。 Since PHP files are not executable, it is safe to keep them within public folder. 由于PHP文件不可执行,因此将它们保存在公用文件夹中是安全的。

Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers? 将php文件保留在公共文件夹之外以限制攻击者可能的访问是否是明智和实用的方法? If yes, is it common? 如果是的话,这是常见的吗? because I do not see any disadvantage (except a little bit harder handling of file spread in different places); 因为我没有看到任何不利之处(除了在不同的地方处理文件传播有点困难); but if it is beneficial for improve security, it is worth of consideration. 但如果它有利于提高安全性,那么值得考虑。 Since I do not know about the ways hackers attach a php-based website, I have no idea how it can improve security. 由于我不知道黑客附加基于php的网站的方式,我不知道如何提高安全性。

1 个解决方案

解决方案1
 9 已采纳  2011-10-15 15:57:05

Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers? 将php文件保留在公共文件夹之外以限制攻击者可能的访问是否是明智和实用的方法?

Yes. 是。

If yes, is it common? 如果是的话,这是常见的吗?

Yes. 是。

but if it is beneficial for improve security, 但如果它有利于提高安全性,

Your PHP app will typically consist of many individual files. 您的PHP应用程序通常包含许多单独的文件。 Usually, these will get included from other files. 通常,这些将包含在其他文件中。 For example, you might have: 例如,您可能有: 

index.php
lib/db.php
lib/auth.php

In this example, since all the files are in the document root, an external user could hit the url http://domain.com/lib/auth.php and run that include file directly, independent of the auth system that's supposed to be sourcing it. 在此示例中,由于所有文件都在文档根目录中,因此外部用户可以访问URL http://domain.com/lib/auth.php并直接运行该包含文件,而不依赖于应该是的auth系统采购它。 Will it do anything bad when run by itself? 它自己运行时会做什么坏事吗? Probably not. 可能不是。 But to be safe, you should move the include files outside document root, thus making it impossible for the web server to serve them directly. 但为了安全起见,您应该将包含文件移到文档根目录之外,从而使Web服务器无法直接为它们提供服务。

(Note that this vulnerability is not exclusive to PHP, and thus keeping your libs outside document root is a good practice, regardless of platform.) (请注意,此漏洞不是PHP独有的,因此无论平台如何,将libs保留在文档根目录之外都是一种很好的做法。)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Serving.js 和 .css 文件位于 PHP 中的公用文件夹之外 - Serving .js and .css files that are outside of public folder in PHP 访问公用文件夹之外的文件 - Access to files outside of the public folder 访问公用文件夹之外的文件 - Accesing files outside of public folder 包含文件的更好方法[php] - Better way to include files [php] 在 Codeigniter 4 中访问公用文件夹之外的文件 - Access files outside public folder in Codeigniter 4 访问public_html文件夹之外的文件 - access files outside public_html folder 确保public_html上文件夹中文件的安全性 - Ensuring security of files in folder on public_html php - 包括根文件夹外的 html 页面 - php - include html pages outside the root folder 包含文件夹中的所有文件 - PHP - Include all files in a folder - PHP 如果要包含的文件位于当前PHP文件的文件夹之外,如何包含PHP文件 - How can I include PHP files if the file that I'm going to include is located outside the folder of my current PHP file
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM