如何保护PHP文件免遭下载?
[英]How to secure PHP files from being downloaded?
问题描述
I have a doubt about PHP, Apache, server interpretation... I know that when a PHP file is loaded by the browser from an Apache+PHP server it is interpreted and only the HTML and plain text is showed but is there a way to download this files instead of interpreting them? 
我对PHP,Apache,服务器解释有疑问...我知道,当浏览器从Apache + PHP服务器加载PHP文件时,它将被解释并且仅显示HTML和纯文本,但是有没有办法下载此文件而不是解释它们? In this case it would be very unsecure because MySQL passwords would be unsafe. 在这种情况下,这将是非常不安全的,因为MySQL密码将是不安全的。
Is it any security measure to prevent this or it's impossible to download this files? 是否有任何安全措施可以防止这种情况发生,或者无法下载此文件?
5 个解决方案
解决方案1
6 已采纳 2012-11-14 21:55:57
As long as your server is setup properly it isn't going to happen. 只要您的服务器安装正确,它就不会发生。
A good step though is to put all of your actual passwords and whatnot in a config.php and including it. 不过,一个好的步骤是将所有实际的密码以及诸如此类的东西放到config.php中并包括它。 That way you can use htacces too block that file so that should your server ever start serving the raw pages that file won't be accessible anyway. 这样一来,您就可以使用htacces来阻止该文件,以便您的服务器开始提供原始页面时,该文件将始终无法访问。
To clarify if you create a .htaccess file and place it in the same folder as the config.php with the below information that file will not be served, even if requested directly. 为了澄清是否创建.htaccess文件并将其放置在config.php所在的文件夹中,并带有以下信息,即使直接请求也不会提供该文件。 Simply define your config stuff (db name, user name, password, hashes, etc) in this file and include_once it at the top of each page that needs it and you will be good to go. 只需在此文件中定义您的配置内容(数据库名称,用户名,密码,哈希等),然后在需要它的每个页面的顶部包含include_once即可,您会很高兴的。
<files config.php>
order allow,deny
deny from all
</files>
解决方案2
1 2012-11-14 21:55:12
无法“下载” PHP文件,但是为了提高安全性,您可以将“核心” PHP文件放在public_html文件夹之外
解决方案3
1 2012-11-14 21:57:03
Unless the PHP interpreter stops working for some reason, it's not something to worry about. 除非PHP解释器由于某种原因停止工作,否则不必担心。 Most servers are designed to interpret the PHP files every time they are requested and serve only the interpreted HTML text. 大多数服务器旨在在每次请求时解释PHP文件,并且仅提供解释后的HTML文本。 It's possible to secure your sensitive PHP settings files just in case - often by placing them outside of the root directory with modified permissions. 以防万一,可以保护敏感的PHP设置文件,这通常是通过将它们放置在具有修改权限的根目录之外来实现的。
解决方案4
0 2012-11-14 21:54:32
The only way someone could download the files is to have a server set up that serves the raw files. 某人下载文件的唯一方法是设置服务器来提供原始文件。 As long as you don't have such a server set up, they're inaccessible. 只要您没有设置这样的服务器,就无法访问它们。 If the only server software on your system is Apache and it's configured correctly, people cannot see your source code. 如果系统上唯一的服务器软件是Apache,并且配置正确,则用户将看不到您的源代码。
However, if somebody seeing your source would render your app vulnerable, you might want to give some thought as to how you can fix that problem. 但是,如果有人看到您的来源会使您的应用程序容易受到攻击,则您可能需要考虑如何解决该问题。 Lots of secure open-source software exists — why would yours being open-source cause problems? 存在许多安全的开源软件-为什么您的开源软件会引起问题?
解决方案5
0 2012-11-14 21:55:07
With proper configuration apache guarantees that files will always get interpreted and won't be offered for download. 通过正确的配置, apache可以确保始终对文件进行解释,并且不会将其提供下载。
You always may install fault update or make wrong configuration, but with skilled admin and stable release those cases just don't happen. 您总是可能会安装错误更新或进行错误的配置,但是借助熟练的管理员和稳定的发布,这些情况根本不会发生。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.