PHP Security-source code exposure

Source code exposure an important issue about inclusion is the exposure of source code. The main cause of this problem is the following common situation: l use the. inc extension l & amp ;...

Source code exposure

An important issue about inclusion is the exposure of source code. The main cause of this problem is the following common situations:

L use the. inc extension for inclusion files

L contains files stored in the home directory of the website

L Apache does not set the. inc file type

L the default file type of Apache is text/plain.

As a result, you can directly access the contained files through URLs. Worse, they will be processed as plain text instead of parsed by PHP, so that your source code will be displayed on your browser (see-1 ).

Figure 5-1. source code exposure on the server

It is easy to avoid this situation. You can only reorganize your application and put all the contained files out of the home directory of the website. The best way is to put only the files that need to be publicly published under the home directory of the website.

Although this sounds crazy, in many cases it can lead to exposure of source code. I have seen that Apache configuration files are mistakenly written (and not found before next startup). inexperienced system administrators upgraded Apache but forgot to add PHP support, there are a lot of other situations that can cause source code exposure.

By saving as much PHP code as possible outside the home directory of the website, you can prevent Source code exposure. At least, it is the best way to save all the contained files out of the home directory of the website.

Some methods can limit the possibility of source code exposure, but they cannot fundamentally solve this problem. These methods include configuring the. inc file in Apache for the same processing as the php file, including the file using the. php suffix, and configuring Apache cannot accept direct requests to the. inc file:

 
 
        Order allow,deny      Deny from all  
 

Although these methods have their own advantages, none of them is more secure than storing files in the home directory of a website. Do not rely on the above methods to protect your applications, at most treat them as in-depth prevention.

The above is the content exposed by PHP Security-source code. For more information, see PHP Chinese website (www.php1.cn )!