Solution to prevent PHP from forging local files in Linux_PHP Tutorial

WBOY
Release: 2016-07-13 17:10:21
Original
1170 people have browsed it

We only talk about the Linux system as an example, but the prevention method is effective in any system. Let’s take a look at the following operations.


You can use it like this

/etc/security/environ /etc/security/limits
The code is as follows
 代码如下 复制代码

http://www.xxx.com/index.php?page=../etc/passwd
http://www.xxx.com/index.php?page=../../../etc/passwd
http://www.xxx.com/index.php?page=..../../etc/passwd

获取更多数据:
etc/profile
etc/services
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default

Copy code


http://www.xxx.com/index.php?page=../etc/passwd

http://www.xxx.com/index.php?page=../../../etc/passwd

http://www.xxx.com/index.php?page=..../../etc/passwd
 代码如下 复制代码

?page=intval($_GET);

Get more data:

etc/profile

etc/services

/etc/passwd

/etc/shadow

/etc/group
 代码如下 复制代码

$body = htmlspecialchars(isset($_GET[$str])?$_GET[$str]:'');

/etc/security/group

/etc/security/passwd

/etc/security/user
/usr/lib/security/mkuser.default

Like the above code, if you are ?page=$_GET This is it. Analyze the reason, because we only have numbers for paging, so we do it like this
The code is as follows Copy code
?page=intval($_GET); In this way, the characters cannot be submitted. We use the intval function to filter, so how to deal with the submitted characters.
When processing characters, we use PHP’s built-in functions addslashes and htmlspecialchars to filter, as
The code is as follows Copy code
$body = htmlspecialchars(isset($_GET[$str])?$_GET[$str]:''); This basically filters out various security injections. Of course, if your server has vulnerabilities, it cannot be solved in PHP. http://www.bkjia.com/PHPjc/629691.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629691.htmlTechArticleWe only talk about Linux systems as examples, but the prevention methods are effective in any system. Let’s look at them first. To see the operation, you can use the code as follows Copy the code http://www.xx...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template