避免PHP中代码注入的最佳方法 [英] Best way to avoid code injection in PHP

问题描述

我的网站最近遭到了一个无辜的代码的攻击:

My website was recently attacked by, what seemed to me as, an innocent code:

<?php
  if ( isset( $ _GET['page'] ) ) {
    include( $ _GET['page'] . ".php" );
  } else {
    include("home.php");
  }
?>

那里没有SQL调用，因此我不担心SQL注入.但是，显然，SQL并不是唯一的注入方式.

There where no SQL calls, so I wasn't afraid for SQL Injection. But, apparently, SQL isn't the only kind of injection.

此网站提供了解释以及避免代码注入的一些示例: http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html

This website has an explanation and a few examples of avoiding code injection: http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html

您如何保护此代码免遭代码注入?

How would you protect this code from code injection?

推荐答案

使用白名单并确保页面在白名单中:

Use a whitelist and make sure the page is in the whitelist:

  $whitelist = array('home', 'page');

  if (in_array($_GET['page'], $whitelist)) {
        include($_GET['page'].'.php');
  } else {
        include('home.php');
  }

这篇关于避免PHP中代码注入的最佳方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！