网站安全问题 [英] Website Security Questions

问题描述

我正在创建一个使用perl脚本，PHP，MySQL数据库和HTML的网站。我主要关心的是确保没有人可以访问任何可以访问我的信息的内容。我的意思是有无论如何有人得到我的Perl脚本，看到我的数据库信息。我知道关于sql注入，但我没有任何可以输入信息的表单。有什么我应该记住这个东西。

I am creating a website that is using a perl script, PHP, a MySQL database, and HTML. My main concern is making sure there is not anyway someone can gain access to anything that give them access to my information. I mean is there anyway for someone to get my perl script and see my database information. I know about sql injection but I have no forms for information to be entered into. Is there anything I should keep in mind with this stuff.

推荐答案

获取我的perl脚本并查看我的数据库信息

is there anyway for someone to get my perl script and see my database information

只有当web服务器不解析/处理脚本并返回它时作为明文。通常这种解析/处理只发生在特定的文件扩展名上，如perl文件的 .pl 和PHP文件的 .php 。如果您（或黑客）将其重命名为 .txt ，则客户端将能够以明文形式获取整个脚本。尽管如此，如果黑客能够重命名它，它仍然可以访问整个脚本。然后，这将通过FTP或CMS中的安全漏洞完成。

This will only happen when the webserver doesn't parse/process the script and returns it as plaintext. Usually this parsing/processing only happens on specific file extensions like .pl for perl files and .php for PHP files. If you (or the hacker) renames it to .txt, the client will be able to obtain the entire script as plaintext. Nevertheless, if a hacker is able to rename it, it has access to the whole script anyway. This would then be done by a security hole in FTP or CMS.

此外，我还看到了从外部读取文件（通常为图像或其他静态文件）的脚本）基于路径的webapp上下文作为参数。例如。 download.php？filename.ext 如果这样的脚本没有对文件路径进行完整性检查，那么聪明的黑客可以通过 download.php？％2Fserver％2Fhtdocs％2Fscript.php 。

Further, I've seen scripts which reads files (usually images or other static files) from (outside) the webapp context based on the path as a parameter. E.g. download.php?filename.ext If such a script doesn't do any sanity checks on the file path, a smart hacker may be able to obtain scripts as plaintext by download.php?%2Fserver%2Fhtdocs%2Fscript.php.

这篇关于网站安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！