PHP:php_sapi_name() 安全吗(用户可以操作它)吗? [英] PHP: Is php_sapi_name() safe (can the user manipulate it)?

问题描述

用户可以操作php_sapi_name()返回的值吗?

can the user manipulate the value which is returned by php_sapi_name()?

我有一个看起来像这样的脚本:

I have a script which looks like this:

if( php_sapi_name() !== "cli" ){
   die( "NoAccess" );
}

// Do some admin stuff

这个脚本应该只(！)通过命令行调用.上面的代码安全吗?或者有人可以通过 HTTP 调用脚本并在 if 条件之外执行它?

This script should only (!) be called through command line. Is the code above safe? Or can somebody call the script through HTTP and execute it beyond the if condition?

推荐答案

php_sapi_name() 的返回值是安全的.它不是根据用户数据生成的.

php_sapi_name()'s return value is safe to rely on. It's not generated from user data.

如果您不希望从您的 Web 服务器调用它，则不应让您的 Web 服务器访问该脚本.如果您关心安全，则根本无法访问此脚本.

You shouldn't have this script accessible to your web server though if you don't want it to be called from your web server. If you cared about safety, this script wouldn't be accessible at all.

您还提到了 .htaccess... 不要使用它，在其他地方使用适当的配置文件..htaccess 必须为每个请求加载和解析，效率不高.

You also mentioned .htaccess... don't use that, use a proper config file elsewhere. .htaccess has to be loaded and parsed for every request, which is not efficient.

这篇关于PHP:php_sapi_name() 安全吗(用户可以操作它)吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！