通过将包含文件保留在公共文件夹之外来提高 PHP 的安全性? [英] Better security of PHP by keeping include files outside the public folder?

问题描述

与 PHP 相比，Perl、Pythong 等语言通常被认为具有更好的安全性.除了可能的安全漏洞，一个原因可能是(我不知道，我在问)我们没有将 Perl 和 Python 的可执行文件放在公共文件夹中.由于 PHP 文件不可执行，因此将它们保存在公共文件夹中是安全的.

Languages such as Perl, Pythong, etc are usually considered to have a better security comparing with PHP. Apart from possible security holes, one reason can be (I do not know, I am asking) that we do not put the executable files of Perl and Python within public folder. Since PHP files are not executable, it is safe to keep them within public folder.

将 php 文件保存在公共文件夹之外以限制攻击者可能的访问是否是一种明智而实用的方法?如果是，是否常见?因为我没有看到任何缺点(除了处理在不同地方传播的文件有点困难)；但如果有利于提高安全性，则值得考虑.由于我不知道黑客如何附加基于 php 的网站，我不知道它如何提高安全性.

Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers? If yes, is it common? because I do not see any disadvantage (except a little bit harder handling of file spread in different places); but if it is beneficial for improve security, it is worth of consideration. Since I do not know about the ways hackers attach a php-based website, I have no idea how it can improve security.

推荐答案

将 php 文件保留在外部是一种明智而实用的方法吗?用于限制攻击者可能访问的公共文件夹?

Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers?

是的.

如果是，是否常见?

是的.

但如果它有利于提高安全性，

but if it is beneficial for improve security,

您的 PHP 应用程序通常由许多单独的文件组成.通常，这些将从其他文件中包含.例如，您可能有:

Your PHP app will typically consist of many individual files. Usually, these will get included from other files. For example, you might have:

index.php
lib/db.php
lib/auth.php

在此示例中，由于所有文件都在文档根目录中，因此外部用户可以访问 url http://domain.com/lib/auth.php 并直接运行该包含文件，独立于应该采购它的身份验证系统.自己跑会不会有什么坏处?可能不会.但是为了安全起见，您应该将包含文件移到文档根目录之外，从而使 Web 服务器无法直接为它们提供服务.

In this example, since all the files are in the document root, an external user could hit the url http://domain.com/lib/auth.php and run that include file directly, independent of the auth system that's supposed to be sourcing it. Will it do anything bad when run by itself? Probably not. But to be safe, you should move the include files outside document root, thus making it impossible for the web server to serve them directly.

(请注意，此漏洞不是 PHP 独有的，因此无论平台如何，将您的库保持在文档根目录之外是一个好习惯.)

(Note that this vulnerability is not exclusive to PHP, and thus keeping your libs outside document root is a good practice, regardless of platform.)

这篇关于通过将包含文件保留在公共文件夹之外来提高 PHP 的安全性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！