是否可以进行“ PHP注入”? [英] Is it possible to make a "php injection"?
问题描述
我正在构建一个Web应用程序,并且担心安全性。
I'm building a web application and I'm concern with security.
这是进行 php注入的一种方法吗?是否可以进行 SQL注入?这意味着客户端可以发送一些将在服务器上执行的php代码。
Is it a way to make a "php injection", in the same way it is possible to make "SQL injection" ? That means client can send some php code which will be executed on the server.
在我们不使用 eval功能之前,我想说否。 ,因为当我们通过$ _GET和$ _POST获得值时,所有数据都被视为简单的字符串...但是也许我看不到明显的攻击。</ p>
Until we don't use the "eval" function, I would like to say "no" because when we get a value by $_GET and $_POST, all the data are treated as simple string... But maybe I don't see an obvious attack.
推荐答案
通常,除非您使用可能解析并执行PHP的方法对其进行评估,否则不要这样做。您已经提到过eval,但是如果攻击者设法注入 / e ,则还有其他一些具有类似eval属性的函数(例如 preg_replace )。 code>修饰符),否则可以允许不希望的访问级别(例如 system())。
In general, not unless you evaluate it with something that might parse and execute PHP. You already mentioned eval, but there are other functions that have eval-like properties (e.g. preg_replace, if the attacker manages to inject the /e modifier) or can otherwise allow unwanted levels of access (e.g. system()).
同样,如果攻击者可以上载文件并将其解释为PHP,则他可以运行PHP代码。 nginx可以 include()的代码也是如此-可能通过用他的上传内容覆盖文件或更改 include()参数指向远程站点(如果php.ini中未禁用该站点)。
Also, if an attacker can upload a file and get it interpreted as PHP, he can run PHP code. nginx can be easily misconfigured in a way that allows attackers to execute PHP code in image files. The same goes for getting your web site to include() his code - possibly by overwriting your files with his uploads, or changing the include() arguments to point to a remote site (if that is not disabled in php.ini).
这篇关于是否可以进行“ PHP注入”?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
