避免PHP中代码注入的最佳方法 [英] Best way to avoid code injection in PHP
问题描述
我的网站最近遭到了一个无辜的代码的攻击:
My website was recently attacked by, what seemed to me as, an innocent code:
<?php
if ( isset( $ _GET['page'] ) ) {
include( $ _GET['page'] . ".php" );
} else {
include("home.php");
}
?>
那里没有SQL调用,因此我不担心SQL注入.但是,显然,SQL并不是唯一的注入方式.
There where no SQL calls, so I wasn't afraid for SQL Injection. But, apparently, SQL isn't the only kind of injection.
此网站提供了解释以及避免代码注入的一些示例: http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html
This website has an explanation and a few examples of avoiding code injection: http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html
您如何保护此代码免遭代码注入?
How would you protect this code from code injection?
推荐答案
使用白名单并确保页面在白名单中:
Use a whitelist and make sure the page is in the whitelist:
$whitelist = array('home', 'page');
if (in_array($_GET['page'], $whitelist)) {
include($_GET['page'].'.php');
} else {
include('home.php');
}
这篇关于避免PHP中代码注入的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!