如何使某些文件只能访问PHP脚本？ [英] How do I make certain files accessible just for PHP scripts?

问题描述

我正在构建一个CMS，主页（ index.php ）正在从CMS的目录中的很多小文件构建。例如，结构可能是这样：

  index.php 
 menu / admin / content.php 
 config.php 
 requests.php 
 
 menu / tools / content.php 
 config.php 
 requests.php 
 
菜单/users/content.php 
 config.php 
 requests.php 
  

我访问根目录中的 index.php ，我基于 $ _ GET 参数得到不同的结果。例如，当我访问 index.php？section = tools 时，索引文件加载 content ，<$菜单/ tools / 文件夹中的 cofnig 和请求 p>

现在的问题。 index.php 页面本身只能为已登录的用户访问，但出于安全原因，我想禁用菜单 code>文件夹通过任何其他方式访问，而不是通过php的include函数。

为了演示可能会发生什么：如果我想删除的东西， index.php？section = tools& delete = 5 ，并且在 menu / tools / requests.php 我将检查是否设置了 $ _ GET ['delete'] ，然后从DB中删除ID 5。现在的问题是，如果有人知道实际结构，他可以访问 requests.php 文件，如下所示： site.com/ admin / menu / tools / requests.php？delete = 5 ，并以这种方式破解网站。

有没有办法防止这种可能的攻击？有东西拒绝访问的菜单文件夹中的文件，但仍让他们从我的index.php文件访问？ Htaccess也许？我真的不想把一个检查（如果会话/ cookie设置）到'menu'文件夹中的每一个文件，虽然这将是一个可能的解决方案。

解决方案

在您无法拒绝访问的文件夹中创建包含以下内容的.htaccess：

 拒绝所有
  

最好的办法是网页根目录。

I'm building a CMS and the main page (index.php) is being built up from a lot of small files in the CMS's directory. For example, the structure could be like this:

index.php
menu/admin/content.php
           config.php
           requests.php

menu/tools/content.php
           config.php
           requests.php

menu/users/content.php
           config.php
           requests.php

When I access the index.php in the root directory, I get a different result based on the $_GET parameters. For example, when I access index.php?section=tools, the index file loads up the content, cofnig and requests files from menu/tools/ folder.

Now to the problem. The index.php page itself is accessible just for the logged in users, but for security reasons, I'd like to disable everything in menu folder from being accessed by any other way, than by php's include function.

To demonstrate what could happen: If I want to delete something, I use index.php?section=tools&delete=5, and in the menu/tools/requests.php file, I would check if $_GET['delete'] is set and then delete ID of 5 from the DB. Now the problem is that, if someone knew the actual structure, (s)he could access the requests.php file like this: site.com/admin/menu/tools/requests.php?delete=5, and hack the site that way.

Is there a way to prevent this kind of possible attacks? Something to deny access for the files in menu folder, but still let them be accessed from my index.php file? Htaccess maybe? I really don't feel like putting a check (if session/cookie is set) to every single file in the 'menu' folder, although that would be a possible solution.

解决方案

Create a .htaccess in the folder(s) you wan't to deny access to containing the following:

deny from all

The best would be to have the folder outside of the web root, though.

这篇关于如何使某些文件只能访问PHP脚本？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！