阻止直接访问php include [英] prevent direct access to a php include
问题描述
我有一个php脚本 PayPal eStores / dl_paycart 但它有 PayPal eStores settings.php安全绕过漏洞
I have a php script PayPal eStores/dl_paycart but it has PayPal eStores "settings.php" Security Bypass Vulnerability
我想知道我是否可以阻止直接访问php包含文件。
I would like to know if I can prevent direct access to a php include file.
这会有帮助吗?
defined( '_paycart' ) or die( 'Access to this directory is not permitted' );
谢谢
推荐答案
-
脚本具有.php扩展名的事实提供了一些保护 - 对该文件的任何http或https调用都将通过将要执行在提交请求之前的PHP。
The fact that the script has a .php extension offers some protection - any http or https call for that file will go through the web server which is going to execute the php before serving the request.
我建议将脚本移动到公共Web目录下的目录中,并将.htaccess文件放在该目录中,阻止所有目录请求或需要密码才能访问它。然后在公共目录中的脚本需要时包含脚本。请参阅 Apache的.htaccess教程
I would recommend moving the script to a directory under your public web directory and putting .htaccess file in that directory that either blocks all requests, or requires a password to access it. Then include the script when needed by scripts in your public directory. See Apache's .htaccess Tutorial
这篇关于阻止直接访问php include的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!