在Javascript中显示PHP变量 - 安全点

最初我有以下结构:</ p>

index.html </ strong>文件:</ p>

  ... 
&lt; script src =“myfunctions.js”/>
...
</ pre>

myfunctions.js </ strong>文件:</ p>

  ... 
function one(){
....

}
function two(){
....
}
function three(){
....
}
</ code> </ pre>

这样我写了超过2 500行Javascirpt,但后来我必须在函数中添加一个PHP变量,所以我不得不将 index.html </ strong>重命名为 index.php </ strong>, 将 myfunctions.js </ strong>重命名为 myfunctions.js.php </ strong>并执行以下更改:</ p>

index.php </ strong > file:</ p>

  ... 
&lt;?php
include(“myfunctions.js.php”);
?&gt;
...
</ code> </ pre>

myfunctions.js.php </ strong> file:</ p>

 &lt; script&gt; 
。 ..
function one(){
....
}
function two(){
....
}
function three(){
....
}
( ){
var x =&lt;?php echo $ _conf ['user_id'];?&gt;
console.log(x);
}
&lt; / script&gt;
</ code> </ pre >

我已经实现了在JavaScript中使用PHP变量的目的但是我注意到浏览器中的网页开始显示所有包含的功能,即如果在第一种情况下我在查看 使用调试工具的页面或通过将该页面保存在磁盘上我只看到index.html中包含的一些小JavaScript代码但现在查看或保存index.php文件我看到myfunctions.js.php中的所有函数都可见。 当然,可见内容没有变化,但实际输出更长了2 500行。 这会是一个安全问题吗? 我是否应该避免在JavaScript中显示PHP变量的这种方式,或者我不应该关注它并留下它是怎么回事?</ p>

我担心的是在第二种情况下我的所有功能 开放,以便恶意用户可以看到所有服务器端PHP脚本名称和所需参数,从而提供更多攻击方式。</ p>
</ div>

展开原文

原文

Originally I had the following structure:

index.html file:

...
<script src="myfunctions.js" />
...

myfunctions.js file:

...
function one() {
....
}
function two() {
....
}
function three() {
....
}

That way I got over 2 500 lines of Javascirpt written but then I had to add a PHP variable to a function so I had to rename index.html to index.php, rename myfunctions.js to myfunctions.js.php and do the following changes:

index.php file:

...
<?php
    include("myfunctions.js.php");
?>
...

myfunctions.js.php file:

<script>
...
function one() {
....
}
function two() {
....
}
function three() {
....
}
function four() {
    var x = <?php echo $_conf['user_id'];?>
    console.log(x);
}
</script>

I have achieved my purpose of using PHP variable in JavaScript but I have noticed that the web page in the browser started to show all the included function, i.e. if in the first case when I was looking at the page with a debug tool or by saving that page on a disk I saw just some little JavaScript code contained in index.html but now looking at or saving the index.php file I see all the functions from myfunctions.js.php visible. Of course the visible content didn't change but the actual output got 2 500 lines longer. Would that be a security problem? Should I avoid this way of showing a PHP variable in JavaScript or I shouldn't be concern about it and leave it how it is?

My concern is that in the second case all my functions gets open so a malicious user can see all the server-side PHP scripts names and required parameters which gives more ways to attack.

doog1092
doog1092 S.这些不是数据,所有这些都是请求不同PHP脚本并显示输出的函数
接近 7 年之前 回复
douyanguo7964
douyanguo7964 我不确定我理解这里的担忧或问题。无论您做什么,客户都可以查看JavaScript文件。
接近 7 年之前 回复
dongyan9950
dongyan9950 不要混合数据和脚本。看起来你已经这样做了,如果你写了超过2500行的Javascirpt。将您的数据转换为JSON(在PHP中),然后将JavaScript应用于数据。
接近 7 年之前 回复

3个回答



在服务器上处理PHP代码,以便所有人都能看到该PHP的输出。 所以你的PHP代码仍然是隐藏的。</ p>

如果你在HTML输出中看到PHP代码,那么你的服务器配置不正确,或者你有一个语法错误,它回应你想要的东西 要处理的解析器。</ p>
</ div>

展开原文

原文

The PHP code is processed on the server so all anyone will see if the output of that PHP. So your PHP code is still hidden.

If you're seeing PHP code in your HTML output then either your server is configured incorrectly or you have a syntax error which echo's out what you intend for the parser to process.

duanhuang4306
duanhuang4306 如果你不希望所有这些都被一次加载,这不一定是坏事,因为你可以缓存该文件以提高性能,你可以让PHP脚本接收参数,以便为任何给定的页面包含哪些函数 输出那些。
接近 7 年之前 回复
dourang20110122
dourang20110122 不,我没有看到PHP代码,我只是使用所有包含的js函数使输出页面更大。
接近 7 年之前 回复



使用index.php很好,但你真的不想做一个像这样的JS文件的PHP包含。</ p >

最简单的方法是像你一样包含JS文件</ p>

 &lt; script src =“myfunctions.js”/  &gt; 
</ code> </ pre>

然后将少量Javascript添加到输出user_id的PHP文件中。</ p>

   function userId(){
return&lt;?php echo $ _conf ['user_id'];?&gt;
}
</ code> </ pre>

然后函数4可以访问它 喜欢</ p>

  function four(){
console.log(userId());
}
</ code> </ pre>

理想情况下,您需要将您的函数作为对象或模块的一部分。</ p>

另一种方法是函数4向服务器查询user_id,然后以某种方式缓存它。</ p>
</ div>

展开原文

原文

Using index.php is fine but you don't really want to do a PHP include of a JS file like that.

The simplest way to go about it is to include the JS file like you were doing

<script src="myfunctions.js" />

and then add a small amount of Javascript to the PHP file which outputs the user_id.

function userId() {
    return <?php echo $_conf['user_id'];?>
}

Then function four can access it like

function four() {
    console.log(userId());
}

Ideally you will want your functions as part of an Object or module.

Another approach would be for function four to query the server for the user_id and then cache it in some way.



小心你没有介绍 XSS vulerability。 如果 $ _ conf ['user_id'] </ code>是一个整数,那么你应该没问题,但要小心这样混合客户端和服务器端脚本。 @Paul S的评论是要走的路。</ p>

请点击此处获取更多提示 https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet </ p>
</ div>

展开原文

原文

Careful you aren't introducing a XSS vulerability. If $_conf['user_id'] is an integer then you should be fine, but be careful of mixing client side and server side script like this. @Paul S's comment is the way to go.

See here for more tips https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐