duanfei1930 2015-07-28 17:24
浏览 103
已采纳

可以安全地将私有PHP文件存储在公共目录上并使用require_once加载它们吗?

So currently my websites are structured like this:

/private
    /databaseconfigfile.php
    /otherprivatestuff.php
/public
    /index.php
    /pages
        /page1.php
        /page2.php

I import these private files at the top of each page using:

require_once('../databaseconfigfile.php');

So I can access the define variables within them to populate/generate content.

They contain things like database details, API keys for various 3rd party tools like SMTP, AWS, etc. Is this the correct approach? Or should I be using a different PHP function/approach to access private files? I'm concerned that this approach may be prone to directory traversal attacks.

  • 写回答

2条回答 默认 最新

  • doujinai2183 2015-07-28 18:48
    关注

    Is this the correct approach?

    Yes.

    Or should I be using a different PHP function/approach to access private files?

    No, keeping them outside of your document root should be sufficient. If, for example, you have a Local File Inclusion vulnerability somewhere in your application, you should focus on fixing the vulnerabilities rather than trying to hide your sensitive files.

    Security through obscurity is no security at all.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥50 如何用单纯形法寻优不能精准找不到给定的参数,并联机构误差识别,给定误差有7个?matlab
  • ¥15 workstation加载centos进入emergency模式,查看日志报警如图,没有XFS,怎样解决呢?
  • ¥20 求各位解释一道区间DP
  • ¥15 应用商店如何检测在架应用内容是否违规?
  • ¥15 Ubuntu系统配置PX4
  • ¥50 nw.js调用activex
  • ¥15 数据库获取信息反馈出错,直接查询了ref字段并且还使用了User文档的_id而不是自己的
  • ¥15 将安全信息用到以下对象时发生以下错误:c:dumpstack.log.tmp 另一个程序正在使用此文件,因此无法访问
  • ¥15 速度位置规划实现精确定位的问题
  • ¥15 MAC虚拟机(win11)USB插上后无串口com,无法烧录