Home >Backend Development >PHP Tutorial >Asking about the security of three lines of code_PHP tutorial

Asking about the security of three lines of code_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 10:51:34793browse




Ask about the security issues of three lines of code



$js = explode(',',$_GET['js']);

foreach ($js as $file) {

echo file_get_contents('./public/js/'.$file.'.js')."n";

}


Is there any way for an attacker to copy the code and read the PHP file on the server

[ ]

Let me answer




D8888D reply content------------------------------------------------- ----------

$js = $_GET['js'];

$js = explode(',',$js);

$error = null;

!is_array($js) && $error +=1;

$str = null;

foreach ($js as $file) {

eregi('[[:punct:]]',$file) && $error +=1;

$files = "./public/js/{$file}.js";

if (is_file($files))

$str .= file_get_contents($files)."n";

}

if($error!==null)

exit('error');



echo $str;

?>

Copy code [ ]

D8888D reply content------------------------------------------------- ----------
Thank you Yu An
I don’t care how to deal with the error, but what I want to know is whether it is possible for hackers to bypass the .js suffix restriction and access php files
Anyway, no one except hackers can use it
Just add error_reporting(0); for errors
Just read this article
[url=http://www.111cn.cn/html/18/t-3418.html]Link tag http://www.111cn.cn/html/18/t-3418.html[/url]

D8888D reply content------------------------------------------------- ----------
Habits must be developed well.. Process control is good..

For maintenance.

D8888D reply content------------------------------------------------- ----------
Yeah, yeah,
Do you find it easy to bypass restrictions

D8888D reply content------------------------------------------------- ----------
Look at your code.,

Read the file, and read it in a loop... I can't figure out what program needs this structure...

D8888D reply content------------------------------------------------- ----------
Not bad

D8888D reply content------------------------------------------------- ----------
My code is for js loading. Put all js into one file to reduce the number of requests
For example
Pages that need to load jquery, fckeditor and do not require thnikbox can use js=jquery, fckeditor
The code is very simple and the efficiency should be the same as loading a file directly

D8888D reply content------------------------------------------------- ----------
No matter how many js files there are on a page, they can only be scripted once

D8888D reply content------------------------------------------------- ----------
Do not include files uploaded by $_GET
PHP can include remote files


www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/632563.htmlTechArticleAsk for the security issues of three lines of code $js = explode(',',$_GET['js'] ); foreach ($js as $file) { echo file_get_contents('./public/js/'.$file.'.js')."n"; } Is there any way for attackers to copy the code...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn