为什么要阻止直接访问不回显任何内容的 PHP 文件? [英] Why should I prevent direct access to PHP files that do not echo anything?

问题描述

举个例子，如果我有一个邮件脚本或一个写入数据库的脚本——脚本不回显任何重要的东西(除了感谢或错误消息)，但做了很多重要的后端工作.

For an example if I have a mail script or a script that writes to a database - scripts that do not echo anything important (other than a thank you, or an error message), but do a lot of important back-end work.

直接访问它们可能带来的安全问题是什么?

What could the possible security concerns from accessing them directly be?

是否值得阻止直接访问此类文件?

Is it worth preventing direct access to such files?

他们使用 $_POST/$_GET 发送的联系表单接收数据，然后将其邮寄或写入数据库(在两种情况下都经过良好验证).

They are receiving data using $_POST/$_GET sent trough contact forms and then either mailing it or writing it to a DB (in both cases after good validation).

仍然可以以某种方式访问​​正在使用的数据(除了破解我的帐户并下载它们:))，因为显然在浏览器中打开此类文件不会给攻击者任何结果?

Still, can the data that is being worked with there be accessed somehow (other than cracking my account and downloading them :)), since obviously opening such files in browser will not give any results to the attacker?

推荐答案

服务器配置错误

安全风险是，万一网络服务器无法执行 php 文件(因为配置被重置)，它的源代码将作为纯文本显示在浏览器中.你可能想防止这种情况发生.

Server misconfiguration

The security risk is, in case the web server fails to execute the php file (because configuration was reset), it's source-code will be displayed inside the browser as plain text. And you probably want to prevent that.

在这种情况下，另一个问题是，例如，如果文件实际上对您的数据库数据进行了某些操作，则即使没有任何直接输出调用该文件也会对间接输出产生影响.这通常也是不需要的.

Next to that scenario, another problem is, if the file actually does something with your database data for example, calling the file even w/o any direct output will have influence of indirect output. This is normally unwanted as well.

在您的情况下，它甚至会发送电子邮件，因此可以使用直接请求来发送电子邮件.这也可能是不需要的.

In your case it sends an email even, so direct requests can be used to send emails. That is probably unwanted as well.

更不用说这可能会导致您的东西被渗透了.并不是说这是唯一可能的地方，但您应该保持表面较小.

Not to mention the risks this can have in getting your stuff penetrated. Not that this would be the only place where it is possible, but you should keep the surface small.

然而，最好的方法是将应用程序代码存储在 webroot 之外，这样直接 HTTP 请求就永远无法访问这些文件.

The best approach however is to store the applications code outside of the webroot, so that those files are never accessible by a direct HTTP request.

这篇关于为什么要阻止直接访问不回显任何内容的 PHP 文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！