阻止直接访问php include [英] prevent direct access to a php include

问题描述

我有一个php脚本 PayPal eStores / dl_paycart 但它有 PayPal eStores settings.php安全绕过漏洞

I have a php script PayPal eStores/dl_paycart but it has PayPal eStores "settings.php" Security Bypass Vulnerability

我想知道我是否可以阻止直接访问php包含文件。

I would like to know if I can prevent direct access to a php include file.

这会有帮助吗？

defined( '_paycart' ) or die( 'Access to this directory is not permitted' );

谢谢

推荐答案

1. 脚本具有.php扩展名的事实提供了一些保护 - 对该文件的任何http或https调用都将通过将要执行在提交请求之前的PHP。

1. The fact that the script has a .php extension offers some protection - any http or https call for that file will go through the web server which is going to execute the php before serving the request.

我建议将脚本移动到公共Web目录下的目录中，并将.htaccess文件放在该目录中，阻止所有目录请求或需要密码才能访问它。然后在公共目录中的脚本需要时包含脚本。请参阅 Apache的.htaccess教程

I would recommend moving the script to a directory under your public web directory and putting .htaccess file in that directory that either blocks all requests, or requires a password to access it. Then include the script when needed by scripts in your public directory. See Apache's .htaccess Tutorial

这篇关于阻止直接访问php include的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！