开发者

Access to remote included file classes and functions

问答 作者: 
<!-- php.ini -->
allow_url_include = On

<!-- fooFile.php on "http://www.example.com/" -->
<?php
  function fooFunc()
  { // this function has SOME SECURITY CODE that remote user can not be seen that...
    return ("this as fooFunc() on fooFile.php");
  }
?>

<!-- index.php on "my website" -->
<?php
  required_once("http://www.example.com/fooFile.php");
  echo fooFunc();
?>

Fatal error: Call to undefined func开发者_运维技巧tion fooFunc() in ...

The server on example.com must return PHP as output. In other words, it must return plain text. Disable your PHP engine on example.com or change fooFile.php to :

<?php
echo <<<'EOD'
<?php
  function fooFunc()
  { return ("this as fooFunc() on fooFile.php");
  }
?>
EOD;
?>

If you require a external php-page, you get the parsed results. Imagine what a security hazard it would be if you could "require" an external page and instantly see the code..

If you want to include it as source, the source should be readable, like making it a .txt in stead of a .php

You would have to make it plain text. If you don't want people to see the security info then store it somewhere else like an SQL or MySQL database, if your server supports it, then in the code you can just retrieve the data from your database.

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9