开发者

PHP: prevent folder hacking - if path has ../ in it?

问答 作者:

i'm doing a simple thingy in php and i wonder how i can test if the variable $path contains the following structure ../

so i'll simply have a ?path=somepath structure in my url, and if anybody would enter ../ it allows him to go one directory up. I know of course that that's not the best开发者_JAVA技巧 solution, however for my little thingy it's enough if i just test the $path variable for a string of "../" in it. if so die();

i'm not sure what's the best way to test that!

regards matt

Instead of doing that, you could just call realpath() on it and check if the path it's supposed to be in is a prefix of that.

Even better, why not keep a whitelist and reject anything not in it?

to answer your question:

if(strpos($path,'../') !== false){
  // looks like someone 's trying to hack here - simply
  // do nothing (or send an email-notification to yourself
  // to be informed and see how often this happens)
}else{
  // here comes the magic

}

but: you really shouldn't do so. if you want an easy solution, use a switch-statement for every possible $path and include the relevant file (or whatever you have to do).

I's an alternative solution that allow you to customize the url....

<?php
$arr= array(
  "register" => "register.php",
  "login" => "userlogin.php",
  "admin" => "adminlogin.php",
  "etc" => "otherpage.php",
  );
if ( isset ( $_GET['path'] )    
    if ( array_key_exists( $_GET['path'] , $arr) ){
      //do some stuff... 
      include( $arr[$_GET['path']] );
    }
    else
      echo 'Page Not Found!';          
else
  echo 'Required Field Empty!';       
?>

So calling index.php?path=admin page adminlogin.php will be included....

one of the easier ways is to harden your php.ini config, specifically the open_basedir directive. Keep in mind, some CMS systems do actually use ..\ quite a bit in the code, and when there are includes outside the root folder this can create problems. (i.e. pear modules)

Another method is to use mod_rewrite.

Unless you are using an include file to check each and every URL for injection from $_GET and $_SERVER['request_uri'] variables, you will open doors for this kind of attack. for example, you might protect index.php but not submit.php. This is why hardening php.ini and .htaccess is the preferred method.

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9