January 2021
Intermediate to advanced
505 pages
9h 45m
Chinese
Content preview from PHP编程:第4版
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
安全漏洞
|
327
在服务器文件根目录的外面。
例如,如果根目录是
/home/httpd/html
,所有在该目录下的文件都可以通过
URL
下载。
把你的代码库、配置文件、日志文件和其他数据放在该目录外是很简单的事(例如,放
进
/usr/local/lib/myapp
)。这不会阻止其他网页服务器的用户访问那些文件(参见本章前
面“不要使用文件”一节),但是它可以阻止文件被远程用户下载。
如果你必须把这些附属文件存储在文件根目录,那么可以配置网页服务器拒绝对这些文
件的请求。举个例子,下面会让
Apache
拒绝任何以
.inc
作为扩展名的文件请求,这里
PHP
常用的包含文件的扩展名如下
:
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
一个更好的、更可取的防止下载
PHP
源代码文件的方法是,总是以
.php
作为扩展名。
如果把代码库存储在不同的目录,你需要告诉
PHP
代码库在哪里。可以在代码中给每个
include()
或
require()
设置路径,也可以改变
php.ini
中的
include_path
设置
:
include_path = ".:/usr/local/php:/usr/local/lib/myapp";
PHP
的代码问题
使用
eval()
函数,
PHP
可以让脚本执行任意
PHP
代码。虽然它有点小用处,但允许任
何“用户提供”的数据放进
eval()
调用就是求着黑客上门。举例说明,下面的代码是一
个噩梦 :
<html>
<head> ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.