PHP脚本的安全性,嵌入式或其他 [英] Security of PHP script, embedded or otherwise
问题描述
我很好奇在PHP代码嵌入的HTML网页(可能存在于服务器上的网页为webpage.php)或PHP脚本(可能被HTML页面引用)的PHP网页上的安全性也就是说,PHP脚本实际上不是作为something.php存在于服务器上的网页的一部分,并且被webpage.html引用)。说到这里,让我们说如果我的PHP脚本的源代码被任何人知道,那将是一个非常大的问题。我知道,当您在浏览器中查看PHP页面的源代码时,PHP脚本未显示,但如果PHP服务器失败并且HTML仍然加载(甚至可能),那么用户能够看到PHP脚本? 更一般的是,用户是否可以通过Web浏览器访问PHP脚本的源代码,如果可以,我该如何防止它?
如果PHP服务器失败并且HTML仍然加载(这甚至可能),用户能够看到PHP脚本?
安全漏洞,通常发生在有人在服务器上搞乱或通过服务器和PHP文件迁移站点时已被转储到未设置为执行PHP的文件夹中。这是您为PHP部署支付的代价,就像将文件放入文件夹一样简单。
虽然泄漏PHP源代码并不理想,但您可以通过将所有您敏感的部署信息(如数据库密码)位于Web根目录之外的PHP包含文件(映射到 / URL的文件夹中,通常称为 htdocs中)。 (b)对于更大,更模块化的项目,您通常会完成大部分处理工作,包括无论如何。
I am curious about the security of PHP on an HTML webpage where PHP code is embedded (a webpage that would exist on the server as "webpage.php") or on a PHP script that may be referenced by an HTML page (that is, a PHP script that is not actually part of a webpage that exists on the server as "something.php" and is referenced by "webpage.html"). Getting to the point, let us say that if the source code of my PHP script is known by anyone it would be a very big problem. I know that when you view the source of a PHP page in a browser the PHP script is not shown, but what if the PHP server failed and the HTML still loaded (is this even possible), would a user be able to see the PHP script? To be more general, is there ANY possible way that a user could access the source of a PHP script from a web browser, and if so, how do I prevent it?
what if the PHP server failed and the HTML still loaded (is this even possible), would a user be able to see the PHP script?
Security holes aside, this typically happens when someone's messing with the server or migrating the site across servers and the PHP files have been dumped into a folder that's not set up to execute PHP. This is the price you pay for PHP deployment being as simple as dropping files into a folder.
Whilst it's never ideal to leak PHP source, you can mitigate the situation by putting all your sensitive deployment information (like database passwords) in a PHP include file that lives outside the web root (the folder mapped to the / URL, often known as htdocs). It's much harder to screw up the configuration to leak that.
(For larger, more modular projects you will typically be doing the bulk of your processing work in includes anyway.)
这篇关于PHP脚本的安全性,嵌入式或其他的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
