SOURCE Exposure
An important question about containment is the exposure of the source code. The main causes of this problem are the following common situations:
L USE the. inc extension for the include file
L Include files saved in home directory
L Apache does not set the type of. inc file
The default file type for Apache is Text/plain
The above situation causes the inclusion file to be accessed directly through the URL. Worse, they will be treated as plain text without being parsed by PHP, so your source code will be displayed on the user's browser (see Figure 5-1).
Figure 5-1. Source code exposure in the server
It is easy to avoid this situation. You can only reorganize your app and put all the included files out of the home directory, the best way is to put only the files that need to be publicly published in the main directory of the website.
While this may sound crazy, in many cases it can lead to source code exposure. I have seen Apache configuration files being misinterpreted (and not found before the next boot), an inexperienced system administrator has upgraded Apache but forgot to add PHP support, and there are a whole bunch of situations that can lead to source code exposure.
You can prevent source code from being exposed by saving as much PHP code as possible outside of your website's home directory. At the very least, it's a good idea to keep all of the included files outside the home directory.
Some methods can limit the possibility of source code exposure but not fundamentally solve the problem. These methods include configuring the. inc file in Apache to handle the same as a PHP file, including files using the. php suffix, configuration Apache cannot accept direct requests for. Inc Files:
<files ~ "\.inc$" > Order allow,deny deny from all </Files>
Although there are advantages to these methods, there is no way to secure a method that compares the inclusion file to the home directory of the Web site. Do not rely on the methods above to protect your application, at most, treat them as a depth guard.
The above is the PHP security-source code exposure content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!