网站安全问题 [英] Website Security Questions
问题描述
我正在创建一个使用perl脚本,PHP,MySQL数据库和HTML的网站。我主要关心的是确保没有人可以访问任何可以访问我的信息的内容。我的意思是有无论如何有人得到我的Perl脚本,看到我的数据库信息。我知道关于sql注入,但我没有任何可以输入信息的表单。有什么我应该记住这个东西。
I am creating a website that is using a perl script, PHP, a MySQL database, and HTML. My main concern is making sure there is not anyway someone can gain access to anything that give them access to my information. I mean is there anyway for someone to get my perl script and see my database information. I know about sql injection but I have no forms for information to be entered into. Is there anything I should keep in mind with this stuff.
推荐答案
获取我的perl脚本并查看我的数据库信息
is there anyway for someone to get my perl script and see my database information
只有当web服务器不解析/处理脚本并返回它时作为明文。通常这种解析/处理只发生在特定的文件扩展名上,如perl文件的 .pl
和PHP文件的 .php
。如果您(或黑客)将其重命名为 .txt
,则客户端将能够以明文形式获取整个脚本。尽管如此,如果黑客能够重命名它,它仍然可以访问整个脚本。然后,这将通过FTP或CMS中的安全漏洞完成。
This will only happen when the webserver doesn't parse/process the script and returns it as plaintext. Usually this parsing/processing only happens on specific file extensions like .pl
for perl files and .php
for PHP files. If you (or the hacker) renames it to .txt
, the client will be able to obtain the entire script as plaintext. Nevertheless, if a hacker is able to rename it, it has access to the whole script anyway. This would then be done by a security hole in FTP or CMS.
此外,我还看到了从外部读取文件(通常为图像或其他静态文件)的脚本)基于路径的webapp上下文作为参数。例如。 download.php?filename.ext
如果这样的脚本没有对文件路径进行完整性检查,那么聪明的黑客可以通过 download.php?%2Fserver%2Fhtdocs%2Fscript.php
。
Further, I've seen scripts which reads files (usually images or other static files) from (outside) the webapp context based on the path as a parameter. E.g. download.php?filename.ext
If such a script doesn't do any sanity checks on the file path, a smart hacker may be able to obtain scripts as plaintext by download.php?%2Fserver%2Fhtdocs%2Fscript.php
.
这篇关于网站安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!