Require_once和fopen在php中的安全性 [英] Require_once and fopen in php security
问题描述
我有1个文件已在PHP中实现. 我得到的错误是
I have 1 file that i've implemented in PHP. Error that i get is
警告:require_once():服务器配置中的http://包装器已通过/Applications/MAMP/htdocs/opencart/catalog/view/theme/default/template/payment/bank_transfer中的allow_url_include = 0禁用第13行的.tpl警告:
问题:
-
我知道我需要通过允许php.ini中的allow_url_include = 0来解决此问题.我使用的是MAMP,我已经搜索了MAMP和MAMP Pro中的所有文件夹,但没有找到任何行,我都可以将该值设置为0.我要添加此行吗?
我已阅读 LINK 和我担心使用require_once,fopen和绝对URL会遇到一些安全问题.使用绝对URL和require_once是否存在任何安全问题?
I've read LINK and i'm worried that there are some security issues with using require_once, fopen and absolute URL. Is there any security issues with using absolute URL and require_once?
如何指定文档的URL?目前它是 www.example.com/opencart/admin/kzm/kzm.utils.php ,我尝试使用相对URL /opencart/admin/kzm/kzm.utils.php strong>,但是我没有找到文件.我做对了吗?
How can i specify URL to the document? Currently it's www.example.com/opencart/admin/kzm/kzm.utils.php, i tried to use relative URL /opencart/admin/kzm/kzm.utils.php, but i didn't find the file. Am i doing it right?
bank_transfer.tpl:
bank_transfer.tpl:
<h2><?php echo $text_instruction; ?></h2>
<div class="content">
<p><?php echo $text_description; ?></p>
<p><?php echo $bank; ?></p>
<p><?php echo $text_payment; ?></p>
<p><?php echo $orderIdKZM; ?></p>
<p>
<?php
echo $amountKZM;
$titleKZM = $titleKZM.$orderIdKZM;
echo '<br>';
require_once('http://example.com/opencart/admin/kzm/kzm.utils.php');
echo $titleKZM;
echo '<br>';
$merchantIdKZM = '10';
$currencyKZM = 'KZT';
$successUrlKZM = 'http://localhost:8888/opencart/admin/kzm/kzm_pay.php';
$erroUrlKZM = 'http://www.google.com';
$dateKZM = " ";
$signstrKZM = " ";
$verKZM = " ";
echo $merchantIdKZM.'-'.$currencyKZM.'-'.$successUrlKZM.'-'.$erroUrlKZM.'-'.$dateKZM;
?></p>
</div>
<div class="buttons">
<div class="right">
<form action="/opencart/testkzm.php" method="get">
<input type="hidden" name="merchantIdKZM" value="<?php echo $merchantIdKZM; ?>">
<input type="hidden" name="orderIdKZM" value="<?php echo $orderIdKZM; ?>">
<input type="hidden" name="amountKZM" value="<?php echo $amountKZM; ?>">
<input type="hidden" name="currencyKZM" value="<?php echo $currencyKZM; ?>">
<input type="hidden" name="successUrlKZM" value="<?php echo $successUrlKZM; ?>">
<input type="hidden" name="errorUrlKZM" value="<?php echo $errorUrlKZM; ?>">
<input type="hidden" name="signstrKZM" value="<?php echo $signstrKZM; ?>">
<input type="hidden" name="verKZM" value="<?php echo $verKZM; ?>">
<input type="submit" value="<?php echo $button_confirm; ?>" id="button-confirm" class="button" />
</form>
</div>
</div>
推荐答案
更改allow_url_include = 1是不安全的.默认情况下已设置为禁用.
Changing allow_url_include=1 is not safe. It's set to disabled by default.
当我在本地计算机上包含某些东西时,我总是使用类似的东西,以便可以跨平台移植.如果您使用共享主机计划或无法控制服务器,则对根目录下的硬编码进行硬编码可能导致强制性重写.同样,它对于开发/生产环境更易于移植.
When I include something on the local machine I always use something like this so it can be ported across platforms. Hardcoding an include below the web root can lead to mandatory rewrites if you're on a shared hosting plan or if you don't control your server. Also this is more portable for a dev/production environment.
<?php
require_once($_SERVER['DOCUMENT_ROOT'].'/opencart/admin/kzm/kzm.utils.php');
?>
如果您需要进入另一个目录,则可以始终执行以下操作:
If you need to get to another directory you can always do something like this:
<?php
require_once($_SERVER['DOCUMENT_ROOT'].'/../website2_folder/opencart/admin/kzm/kzm.utils.php');
?>
这篇关于Require_once和fopen在php中的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
