PHP File Inclusion Vulnerability Solution

Nowadays, the program code is getting more and more strange. You can write two types of code in one file: require include.
 
First, use require to terminate the output if an error occurs, and use include to continue execution if an error occurs.
 
If the administrator of a website is written in auth. php and auth. php is maliciously deleted, there is no vulnerability if require is used.
 
If include is used, the vulnerability is generated. Why? This is because the Include operation will continue when an error occurs, so that the user password is blank and the system enters the background.
 
If a website returns a link-based index. php? Act = view & file = gonggao. php
 
The code is
If ($ act = "view "){

$ File = $ _ GET ["file"];

Include $ file;

}
 
At first glance, there was no problem. After a closer look, the problem came out.
 
$ File has a Inclusion Vulnerability
 
If this Website Supports portrait upload or file upload
 
Cooperate with this vulnerability
 
You can obtain the WEBSHELL of the website.
 
 
 
 
 
Solution:


1. The most fundamental thing is that you do not need to pass the include parameter, and the configuration file can be require as much as possible.