stackoom
  简体   繁体   中英

Prevent cross-domain include in PHP

 原文  2013-09-13 06:45:06       php/ include/ cross-domain

Question

I imagine this question has already been asked but I can't find it, so I am sorry for the eventual duplicate. I have only found the opposite.

How do I prevent cross domain includes in PHP? Is a preg_match of the $_SERVER["HTTP_REFERER"] enough? My guess is no. What is the option, if any, on the php.ini to prevent this?

Thank you.

2 answers

solution1
 3 ACCPTED  2013-09-13 06:47:51

This is already impossible, hence you do not need to worry about it. PHP Source code includes are not processed over HTTP . They can be only included if on same server. No one can include your PHP source file in their website by just using its url. Both the scripts have to be on same server

If a PHP source file is included over HTTP, the including party will only see the output generated by the PHP file, not its source code.

In fact, even you yourself cannot include() your PHP source file using HTTP even if both the files are on same server. Anything that goes through HTTP with a properly working PHP Enabled webserver will not send the source code out to client.

Example:

Let's say you have a website example.com and you are on index.php and you have to include sources.php which resides in the same directory. If you try 

include("sources.php");  //or "/path/to/your/root/sources.php"

This will work as expected and source code will be included. But if you try 

include("http://www.example.com/sources.php");

This will NOT include any source code from sources.php into your index.php , even though you own both files, they are on same server. This is because when its served via HTTP, the code has already been processed and a properly configured php enabled web server will not send out php source code.

solution2
 0  2013-09-13 06:47:40

You can't stop people downloading your HTTP resources and using them however they like. (Note they can only include the output of your program, not the PHP source code).

You can put barriers in the way (such as checking the user agent string in the HTTP request), but they are easy to bypass.

php.ini has no setting to prevent this. It allows you to disable the ability of scripts running on your server from including content over HTTP, but not from being included.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cross-domain validation in PHP Cross-domain javascript <-> php Cross-domain JSON/PHP How to prevent cross-domain ajax requests? Dead simple cross-domain php script jQuery PHP problems with cross-domain request Using PHP for cross-domain post data Access PHP File Cross-Domain PHP cross-domain form processing security Retrieving cross-domain data php
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM