PHP Fwrite中的安全漏洞? [英] Security vulnerabilities in php fwrite?
问题描述
我最近将公司网站从托管公司(IIS)迁移到了内部服务器(Apache).最初建造该站点的团队做得很糟糕,整个迁移过程一团糟.尽管移动进行得相当顺利,但查看error_log仍然有一些遗漏的页面.
I recently transitioned my companies website over to our in-house servers (Apache) from a hosting companies (IIS). The group that originally built the site did a piss poor job and the entire thing was a mess to migrate. While the move went fairly smoothly, looking at the error_log there are still some missing pages.
与其一直通过遍历error_log来查找与该域相关的文件不存在"错误,而不是继续进行grep-我们在这些服务器上托管了大约15个左右的主机-我想知道,简单地执行以下操作是否会更容易当发生404错误时:
Rather than having to continually grep through the error_log for "File does not exist" errors relating to this domain - we have about 15 or so we host on these servers - I was wondering if it might be easier to simply do the following when a 404 error occurs:
- 重定向到php页面并传递原始URL请求
- 具有新的php页面将URL转储到日志文件
在键入此内容时,我越来越不相信这是一项值得的工作.尽管存在根本问题,但使用fwrite是否存在潜在的安全问题?如果要将用户输入追加到文件中,是否需要进行某种形式的用户输入清理?无论什么价值,此输入都不会流到数据库附近.预先感谢.
As I type this I am becoming less and less convinced that this is a worthwhile undertaking. Regardless though the underlying question is, are there potential security issues w/using fwrite? Does there need to be any sort of scrubbing of user input if that input is going to be appended to a file? This input would not be going anywhere near a database for whatever that is worth. Thanks in advance.
推荐答案
只要您是定义要向写入哪个文件的人(而不是从URL确定) ,应该不会有太大的风险:从用户那里得到的唯一东西就是您要写入文件的内容,如果您不执行该文件而只是阅读它,则应该是:很好.
As long as you are the one defining which file you are writing to (and not determining that from the URL), there should not be much risk : the only thing you'll get from the user is the content you'll write to file, and if you don't execute that file, but just read it, it should be quite OK.
以这种方式记录404错误的想法并不新鲜:我已经看过很多次了,并且从未遇到过任何重大问题(我看到的最大问题是文件变得相当大快速,因为存在太多错误^^)
The idea of logging 404 errors this way is not new : I've seen it done quite a few times, and have never faced any major problem with it (biggest problem I saw was a file that became big quite fast, because there were far too many errors ^^ )
例如,Drupal做到了这一点:记录了404错误-但是记录到了数据库中,因此使用Web界面分析它们更加容易.
For instance, Drupal does a bit of this : 404 errors are logged -- but to a database, so it's easier to analyse them using the web-interface.
这篇关于PHP Fwrite中的安全漏洞?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
