避免 PHP 代码注入的最佳方法 [英] Best way to avoid code injection in PHP
问题描述
我的网站最近遭到了一个在我看来是无辜的代码的攻击:
My website was recently attacked by, what seemed to me as, an innocent code:
<?php
if ( isset( $ _GET['page'] ) ) {
include( $ _GET['page'] . ".php" );
} else {
include("home.php");
}
?>
那里没有 SQL 调用,所以我不怕 SQL 注入.但是,显然,SQL 并不是唯一的注入方式.
There where no SQL calls, so I wasn't afraid for SQL Injection. But, apparently, SQL isn't the only kind of injection.
这个网站有避免代码注入的解释和几个例子:http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html
This website has an explanation and a few examples of avoiding code injection: http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html
您将如何保护此代码免受代码注入?
How would you protect this code from code injection?
推荐答案
使用白名单并确保页面在白名单中:
Use a whitelist and make sure the page is in the whitelist:
$whitelist = array('home', 'page');
if (in_array($_GET['page'], $whitelist)) {
include($_GET['page'].'.php');
} else {
include('home.php');
}
这篇关于避免 PHP 代码注入的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!