Server-side includes - snippets of content that are kept as separate files, allowing their re-use on multiple pages – are particularly useful when developing a site . However, as they typically exist as files in a folder, they can be viewed in a browser, so long as the visitor can guess the right directory path. An example would be trying the following as a URL:
服务器端包含 -将内容摘要保存为单独的文件,以允许它们在多个页面上重复使用-在开发站点时特别有用。 但是,由于它们通常以文件形式存在于文件夹中,因此只要访问者可以猜测正确的目录路径,就可以在浏览器中查看它们。 一个示例将尝试以下作为URL:
If I get the path correct, I can see a list of files in the browser window, and click on a file to see its content.
If the include files only contain static HTML, such as a re-used banners and site navigation, this is not a big deal. But it becomes a serious issue if the include file contains PHP, most especially security information, such as a MySQL connection script. If a visitor can view a file directly to see username, password and domain information for your database, they can log into your server and get into all kinds of mischief. (Note that packages like DreamWeaver allow this by default).
如果包含文件仅包含静态HTML (例如重复使用的横幅广告和网站导航) ,则没什么大不了的。 但是,如果包含文件包含PHP ,尤其是安全信息(例如MySQL连接脚本),则将成为一个严重的问题。 如果访问者可以直接查看文件以查看数据库的用户名,密码和域信息,则他们可以登录到服务器并陷入各种恶作剧。 (请注意, DreamWeaver之类的软件包默认情况下允许这样做)。
Obviously you want to retain the ability of your own pages to read these include files; you just want to stop anyone else from getting into the folder. The solution is to create a .htaccess file with a special command line to restrict access. While it is possible to keep a single .htaccess file at the root of your site to control all access and server activity, for small sites I prefer the simplicity of writing an .htaccess file in each folder I wish to control. (Note that the includes folder is one of the few in which this technique should be used. Some clients with antiquated ideas about copyright and DRM might encourage you to apply the technique to the images directory of a site, but attempting to do so will likely impact your search index on Google.)
显然,您希望保留自己的页面读取这些包含文件的能力; 您只想阻止其他人进入该文件夹。 解决方案是使用特殊的命令行创建.htaccess文件以限制访问。 虽然可以在站点的根目录中保留一个.htaccess文件来控制所有访问和服务器活动,但对于小型站点,我更喜欢在希望控制的每个文件夹中写入.htaccess文件的简单性。 (请注意, includes文件夹是应使用此技术的少数几个文件夹之一。一些对版权和DRM有过时想法的客户可能会鼓励您将这种技术应用于网站的图片目录,但尝试这样做可能会影响您在Google上的搜索索引 。)
First, create the file. It has a very particular, and very special, filename: .htaccess (Note the position of the period at the start, and the lack of any suffix). This is a system file: under most conditions, it will be invisible to your operating system. (You may need to set your web development package of choice (DreamWeaver, Coda, etc) to ensue that the file is visible).
首先,创建文件。 它具有一个非常特殊的文件名: .htaccess (请注意句点在开始时的位置,并且没有任何后缀)。 这是一个系统文件:在大多数情况下,它将对您的操作系统不可见。 (您可能需要设置选择的Web开发包(DreamWeaver,Coda等),以确保该文件可见。
Then, write a single line in the file: deny from all
然后,在文件中写一行:全部拒绝
Finally, upload the .htaccess file to the includes folder on the server.
最后,将.htaccess文件上载到服务器上的include文件夹。
If you want a more elegant response than the default browser error, you can create a 403 page to display, very similar to the 404 (page not found) error page we have discussed earlier. The line added to the root .htaccess file will also be very similar:
如果您想要比默认浏览器错误更优雅的响应,可以创建一个403页面来显示,这与我们之前讨论的404错误页面(未找到页面)非常相似。 添加到根.htaccess文件中的行也将非常相似:
ErrorDocument 403 notallowed.html翻译自: https://thenewcode.com/378/Basic-Site-Security-Protect-Your-Files-With-htaccess
1929
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
