如何防止在以 .php 结尾的 URL 之后添加其他字符串? [英] How can I prevent additional strings from being added after URLs that end with .php?

问题描述

我们网站的团队刚刚发现，任何用户都可以在以 .php 扩展名结尾的 URL 后面添加斜杠/"和任何字符串，并且仍然可以访问相同的原始页面.

our website's team just discovered that any user can add a slash '/' then any string after a URL that ends with a .php extension and still access the same original page.

例如:我可以通过以下方式访问 www.mydomain.com/index.php:

For example: I can access www.mydomain.com/index.php with:

• www.mydomain.com/index.php/test
• www.mydomain.com/index.php/test/123
• www.mydomain.com/index.php/wqeqwew/2234dwd

(注意:index.php/之后的附加字符串在服务器中是不存在的，它们只是一些垃圾)

(Note: Additional strings after index.php/ are non-existent in the server, they're just some garbage)

另一个问题是，对于我的动态 URL，我总是可以在我的域名和第一个参数之间添加一个不存在的 php 文件.

Another problem is that with my dynamic URLs, I can always add a nonexistent php file in between my domain name and the first parameter.

例如:我可以通过以下方式访问 www.mydomain.com/product/one:

For example: I can access www.mydomain.com/product/one with:

• www.mydomain.com/test.php/product/one
• www.mydomain.com/imnothere.php/product/one

我怎样才能防止这种情况发生，我该如何处理?这在 SEO 或安全方面是一个严重的问题吗?我希望网站在浏览器中输入或点击此类 URL 时返回 404 错误.

How can I prevent this from happening and how do I deal with it? Is this a serious problem in terms of SEO or security? I want the website to return 404 error whenever these kinds of URL are entered or clicked in the browser.

非常感谢任何帮助.谢谢！

Any help is greatly appreciated. Thanks!

我想我已经修复了它.对于第一个问题，我在 .htaccess 中添加了 AcceptPathInfo Off.对于第二个问题，我只是在我的动态 URL 的 RewriteRule 之前添加了 ^，例如RewriteRule ^product/(.*)$ 以便没有人可以在域名和第一个参数之间添加额外的字符串.感谢大家的帮助！

I think I already fixed it. For the first problem, I added AcceptPathInfo Off in my .htaccess. And for the second problem, I just added ^ before my RewriteRule for my dynamic URL, e.g. RewriteRule ^product/(.*)$ so that nobody can add anymore extra string in between the domain name and the first parameter. Thanks for all the help!

推荐答案

我怎样才能防止这种情况发生，我该如何处理?

How can I prevent this from happening and how do I deal with it?

这是由于 Apache 的 AcceptPathInfo 指令.您可以将其关闭 - 如果相应地配置了服务器，您只需要一个 .htaccess 文件即可.

This is due to Apache's AcceptPathInfo directive. You can turn it off - if the server is configured accordingly, you'll just need a .htaccess file for it.

这在 SEO 或安全方面是一个严重的问题吗?

Is this a serious problem in terms of SEO or security?

我想不出有什么办法让它成为一个严重的问题.它通常在大多数处理程序中默认启用，并且经常被用作穷人的 mod_rewrite"(一种提供漂亮 URL 的方法).

I can't think of a way in which it could be a serious problem. It's generally enabled by default in most handlers, and is being routinely used as a "poor man's mod_rewrite" (A way to provide fancy-looking URLs).

这篇关于如何防止在以 .php 结尾的 URL 之后添加其他字符串?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！