Evaluate the security of three lines of code
$ Js = explode (',', $ _ GET ['js']);
Foreach ($ js as $ file ){
Echo file_get_contents ('./public/js/'. $ file. '. js'). "n ";
}
Attackers can't read PHP files on the server by copying code.
[]
Let me answer
D8888D reply content -------------------------------------------------------
$ Js =$ _ GET ['js'];
$ Js = explode (',', $ js );
$ Error = null;
! Is_array ($ js) & $ error + = 1;
$ Str = null;
Foreach ($ js as $ file ){
Eregi ('[: punct:]', $ file) & $ error + = 1;
$ Files = "./public/js/{$ file}. js ";
If (is_file ($ files ))
$ Str. = file_get_contents ($ files). "n ";
}
If ($ error! = Null)
Exit ('error ');
Echo $ str;
?>
Copy code []
D8888D reply content -------------------------------------------------------
Thank you, Yu.
Regardless of how the error is handled, I want to know whether it is possible for a hacker to bypass the restriction of the suffix. js to access the PHP file.
No one except the hacker
Add error_reporting (0 );
I just read this article
[Url = Response
D8888D reply content -------------------------------------------------------
Good habits... good process control ..
For maintenance.
D8888D reply content -------------------------------------------------------
Grace,
Do you think it is easy to bypass the restriction?
D8888D reply content -------------------------------------------------------
Look at your code .,
Reading a file also cyclically reads the file... I don't know what programs need this structure ..
D8888D reply content -------------------------------------------------------
Good
D8888D reply content -------------------------------------------------------
My code is used for js loading. I put all js files in one file to reduce the number of requests.
For example
Jquery needs to be loaded. fckeditor does not need thnikbox pages. js = jquery, fckeditor
The code is very simple, and the efficiency should be the same as loading a file directly.
D8888D reply content -------------------------------------------------------
One page has more JavaScript scripts only once.
D8888D reply content -------------------------------------------------------
Do not include files on $ _ GET.
PHP can contain remote files.