如何使某些文件只能访问PHP脚本? [英] How do I make certain files accessible just for PHP scripts?
问题描述
我正在构建一个CMS,主页( index.php
)正在从CMS的目录中的很多小文件构建。例如,结构可能是这样:
index.php
menu / admin / content.php
config.php
requests.php
menu / tools / content.php
config.php
requests.php
菜单/users/content.php
config.php
requests.php
我访问根目录中的 现在的问题。 index.php
,我基于 $ _ GET
参数得到不同的结果。例如,当我访问 index.php?section = tools
时,索引文件加载 content
,<$菜单/ tools / 文件夹中的请求
p>
index.php
页面本身只能为已登录的用户访问,但出于安全原因,我想禁用菜单
为了演示可能会发生什么:如果我想删除的东西, index.php?section = tools& delete = 5
,并且在 menu / tools / requests.php
我将检查是否设置了 $ _ GET ['delete']
,然后从DB中删除ID 5。现在的问题是,如果有人知道实际结构,他可以访问 requests.php
文件,如下所示: site.com/ admin / menu / tools / requests.php?delete = 5
,并以这种方式破解网站。
有没有办法防止这种可能的攻击?有东西拒绝访问的菜单文件夹中的文件,但仍让他们从我的index.php文件访问? Htaccess也许?我真的不想把一个检查(如果会话/ cookie设置)到'menu'文件夹中的每一个文件,虽然这将是一个可能的解决方案。
在您无法拒绝访问的文件夹中创建包含以下内容的.htaccess:
拒绝所有
最好的办法是网页根目录。
I'm building a CMS and the main page (index.php
) is being built up from a lot of small files in the CMS's directory. For example, the structure could be like this:
index.php
menu/admin/content.php
config.php
requests.php
menu/tools/content.php
config.php
requests.php
menu/users/content.php
config.php
requests.php
When I access the index.php
in the root directory, I get a different result based on the $_GET
parameters. For example, when I access index.php?section=tools
, the index file loads up the content
, cofnig
and requests
files from menu/tools/
folder.
Now to the problem. The index.php
page itself is accessible just for the logged in users, but for security reasons, I'd like to disable everything in menu
folder from being accessed by any other way, than by php's include function.
To demonstrate what could happen: If I want to delete something, I use index.php?section=tools&delete=5
, and in the menu/tools/requests.php
file, I would check if $_GET['delete']
is set and then delete ID of 5 from the DB. Now the problem is that, if someone knew the actual structure, (s)he could access the requests.php
file like this: site.com/admin/menu/tools/requests.php?delete=5
, and hack the site that way.
Is there a way to prevent this kind of possible attacks? Something to deny access for the files in menu folder, but still let them be accessed from my index.php file? Htaccess maybe? I really don't feel like putting a check (if session/cookie is set) to every single file in the 'menu' folder, although that would be a possible solution.
Create a .htaccess in the folder(s) you wan't to deny access to containing the following:
deny from all
The best would be to have the folder outside of the web root, though.
这篇关于如何使某些文件只能访问PHP脚本?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!