prevent direct access to a php include

2019-08-17 00:19发布

问题:

I have a php script PayPal eStores/dl_paycart but it has PayPal eStores "settings.php" Security Bypass Vulnerability

I would like to know if I can prevent direct access to a php include file.

Would this help?

defined( '_paycart' ) or die( 'Access to this directory is not permitted' );

Thank you

回答1:

I would STRONGLY recommend finding some new script. Any sort of blocking is just sticking a finger in the dam; it isn't a permanent solution and eventually it's going to break.

If you really want to use it, check out htaccess files, particularly "Order Allow,Deny" and "Deny from All"



回答2:

The problem is that if someone is able to use "include" and read the code contents, variables, and the like, that means that they are already operating on the same server and, to be a bit crude, you're boned if they try to screw with you.

On the other hand, if you're looking to prevent outside access to the file from a remote server, then the include call can only retrieve the values which would be displayed to any external site (and if the question is, "Can I prevent external sites from even loading this file remotely", the answer is "through server configurations in http.conf and .htaccess files" ).

The long and the short, however, is that this is not something which can really be fixed with PHP, this is a server security issue.



回答3:

  1. The fact that the script has a .php extension offers some protection - any http or https call for that file will go through the web server which is going to execute the php before serving the request.

  2. I would recommend moving the script to a directory under your public web directory and putting .htaccess file in that directory that either blocks all requests, or requires a password to access it. Then include the script when needed by scripts in your public directory. See Apache's .htaccess Tutorial



回答4:

Probably the most secure way is something like this

$allowed_files = array("/paths/", "/that/", "/are/", "/allowed/");
if(!in_array($_SERVER['PHP_SELF'], $allowed_files))
{
    die("Not Allowed");
}

Fill the array with Files that you would like to have access. (You might have to access PHP self in each page you want and copy and paste it in). This will check to make sure that the file being executed is one of the allowed pages. If it isn't the script will die.

I believe $_SERVER might be able to be changed, but probably won't be. This file will still be able to be gotten using fopen or file_get_contents, and if someone reads it, they will know what to change.

But I would forewarn, it is not 'completely secure', because there isn't really a way to make something 'completely' secure.