duanfei1930 2015-07-28 17:24
浏览 103
已采纳

可以安全地将私有PHP文件存储在公共目录上并使用require_once加载它们吗?

So currently my websites are structured like this:

/private
    /databaseconfigfile.php
    /otherprivatestuff.php
/public
    /index.php
    /pages
        /page1.php
        /page2.php

I import these private files at the top of each page using:

require_once('../databaseconfigfile.php');

So I can access the define variables within them to populate/generate content.

They contain things like database details, API keys for various 3rd party tools like SMTP, AWS, etc. Is this the correct approach? Or should I be using a different PHP function/approach to access private files? I'm concerned that this approach may be prone to directory traversal attacks.

  • 写回答

2条回答 默认 最新

  • doujinai2183 2015-07-28 18:48
    关注

    Is this the correct approach?

    Yes.

    Or should I be using a different PHP function/approach to access private files?

    No, keeping them outside of your document root should be sufficient. If, for example, you have a Local File Inclusion vulnerability somewhere in your application, you should focus on fixing the vulnerabilities rather than trying to hide your sensitive files.

    Security through obscurity is no security at all.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 springboot+vue 集成keycloak sso到阿里云
  • ¥15 win7系统进入桌面过一秒后突然黑屏
  • ¥15 有一台三相异步电动机 M1控制一个小车,有四个控制按钮,一个复位、一个启动、一个停止,还有一个急停,两个行程开关分别为上限位和下限位。 上限位。 下限位。
  • ¥30 backtrader对于期货交易的现金和资产计算的问题
  • ¥15 求C# .net4.8小报表工具
  • ¥15 安装虚拟机时出现问题
  • ¥15 Selenium+docker Chrome不能运行
  • ¥15 mac电脑,安装charles后无法正常抓包
  • ¥18 visio打开文件一直显示文件未找到
  • ¥15 请教一下,openwrt如何让同一usb储存设备拔插后设备符号不变?