PHP: 安全 - Manual

add a note User Contributed Notes
安全

webmaster �tt christophdum ddott com
16-Dec-2005 08:30


that's cool, but i use this code right here:



<?if(!defined('IN_SCRIPT')){header('HTTP/1.0 404 not found');exit;}?>



adding a 404 header will not give the user any clue that the include-file even exists !!!



i also protect the whole include-directory with a .htaccess file that says: "Deny from all"



so i guess that's pretty secure

Thomas "Balu" Walter
17-Oct-2005 04:24


Since many users can not modify apache configurations or use htaccess
files, the best way to avoid unwanted access to include files would be
a line at the beginning of the include-file:



<?php if (!defined('APPLICATION')) exit; ?>



And in all files that are allowed to be called externally:



<?php define('APPLICATION', true); ?>



     Balu

administrator at galbadian dot com
24-Apr-2005 03:47


yeah alot of people dont think about the possibility of...



Lets say a user posts $var=" " . $dbpass . " "



and your page has 



echo($var)



which shows the var $dbpass (in this case the MySQL db pass)

nick dot hristov at gmail dot com
02-Sep-2004 11:21


A correction to previous post by Dave Mink.



<Files ~ "\.inc$">

   Order allow,deny

   Deny from all

   Satisfy All

</Files>



Will not stop something like

http://www.yourserver.com/includefile.inc?pointlessvar=blahblah



Here is something more sophisticated for this task:



<Location ~ "/[^ ](?=\.inc(\?[^ ]*)?)/">

    Options None

    Order Allow, Deny

    Deny from All

    AllowOverride None

    Satisfy All

</Location>



Also, consider placing in your httpd.conf



<Location ~ "/[^ ](?=\.phps(\?[^ ]*)?)/">

    Options None

    Order Allow, Deny

    Deny from All

    AllowOverride None

    Satisfy All

</Location>

29-Aug-2004 12:21


Another good source of information on writing secure PHP code is http://securephp.damonkohler.com/

ocrow at simplexity dot net
02-Jul-2003 08:16


If your PHP pages include() or require() files that live within the web
server document root, for example library files in the same directory
as the PHP pages, you must account for the possibility that attackers
may call those library files directly.  



Any program level code in the library files (ie code not part of
function definitions) will be directly executable by the caller outside
of the scope of the intended calling sequence.  An attacker may be
able to leverage this ability to cause unintended effects.



The most robust way to guard against this possibility is to prevent
your webserver from calling the library scripts directly, either by
moving them out of the document root, or by putting them in a folder
configured to refuse web server access. With Apache for example, create
a .htaccess file in the library script folder with these directives:



Order Allow,Deny

Deny from any

annonymous at domain dot com
27-Jun-2003 09:08


best bet is to build php as cgi, run under suexec, with chroot jailed
users. Not the best, but fairly unobtrusive, provides several levels of
checkpoints, and has only the detriment of being, well, kinda slow. 8)

ManifoldNick at columbus dot rr dot com
30-Apr-2003 01:30


Remember that security risks often don't involve months of prep work or
backdoors or whatever else you saw on Swordfish ;) In fact one of the
bigges newbie mistakes is not removing "<" from user input
(especially when using message boards) so in theory a user could
secerely mess up a page or even have your server run php scripts which
would allow them to wreak havoc on your site.

26-Feb-2003 08:00


For real security you should consider providing chrooted jail's for your users.

add a note


	downloads \| documentation \| faq \| getting help \| mailing lists \| reporting bugs \| php.net sites \| links \| my php.net

search for in the

IV. 安全