.htaccess文件
When I build websites for clients and myself, I use numerous include files to make my website easy to maintain. These include files may:
当我为客户和我自己建立网站时,我会使用许多包含文件来使我的网站易于维护。 这些包含文件可能:
- be composed of pure HTML; no server-side programming involved 由纯HTML组成; 不涉及服务器端编程
- be PHP class files; used throughout the website 是PHP类文件; 在整个网站上使用
- composed of both HTML and PHP 由HTML和PHP组成
- PHP code to produce a specific action; many times, AJAX scripts PHP代码产生特定的动作; 很多次,AJAX脚本
Obviously, if a person were to get lucky and guess the path and file name of my include scripts, problems could result, especially if an AJAX script is not secured (but I wouldn't do that -- nor would you, right?). For example, take the following poorly coded bit of PHP that would get run when an AJAX call was made:
显然,如果一个人能幸运地猜出我的包含脚本的路径和文件名,则可能会导致问题,尤其是如果AJAX脚本没有安全保护(但我不会那样做-您也不会,对吗?) 。 例如,采用以下在AJAX调用时将运行PHP编码不良的位:
//inside file: includes/ajax/delete_id.inc
$query = 'DELETE FROM my_table WHERE id = '.$_GET['id'];
mysql_query($query);
Imagine if the user changed the 'id' in the querystring to "' or 1" -- all data would be lost!
想象一下,如果用户将查询字符串中的'id'更改为“'或1”-所有数据将丢失!
Even if my scripts are secure (meaning I use proper validation to make sure they've been called correctly), a user/hacker has no business calling an include file. Using .htaccess, we can prevent any attempt by a user to reach an include file:
即使我的脚本是安全的(意味着我使用适当的验证来确保已正确调用它们) ,用户/黑客也没有业务来调用包含文件。 使用.htaccess ,我们可以防止用户尝试访问包含文件:
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
The above code tells the server to disallow any requests, by the user, for any file ending in ".inc". You can easily modify the above .htaccess for your own naming convention and folder structure.
上面的代码告诉服务器禁止用户对以“ .inc”结尾的任何文件的任何请求。 您可以为自己的命名约定和文件夹结构轻松修改上述.htaccess 。
Just another .htaccess tip to make your website more secure!
另一个.htaccess提示,可以使您的网站更安全!
翻译自: https://davidwalsh.name/htaccess-security-include-files
.htaccess文件
778
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
