Ask about the security issues of three lines of code
$js = explode(',',$_GET['js']);
foreach ($js as $file) {
echo file_get_contents('./public/js/'.$file.'.js')."n";
}
Is there any way for an attacker to copy the code and read the PHP file on the server
[ ]
Let me answer
D8888D reply content------------------------------------------------- ----------
$js = $_GET['js'];
$js = explode(',',$js);
$error = null;
!is_array($js) && $error +=1;
$str = null;
foreach ($js as $file) {
eregi('[[:punct:]]',$file) && $error +=1;
$files = "./public/js/{$file}.js";
if (is_file($files))
$str .= file_get_contents($files)."n";
}
if($error!==null)
exit('error');
echo $str;
?>
Copy code [ ]
D8888D reply content------------------------------------------------- ----------
Thank you Yu An
I don’t care how to deal with the error, but what I want to know is whether it is possible for hackers to bypass the .js suffix restriction and access php files
Anyway, no one except hackers can use it
Just add error_reporting(0); for errors
Just read this article
[url=http://www.111cn.cn/html/18/t-3418.html]Link tag http://www.111cn.cn/html/18/t-3418.html[/url]
D8888D reply content------------------------------------------------- ----------
Habits must be developed well.. Process control is good..
For maintenance.
D8888D reply content------------------------------------------------- ----------
Yeah, yeah,
Do you find it easy to bypass restrictions
D8888D reply content------------------------------------------------- ----------
Look at your code.,
Read the file, and read it in a loop... I can't figure out what program needs this structure...
D8888D reply content------------------------------------------------- ----------
Not bad
D8888D reply content------------------------------------------------- ----------
My code is for js loading. Put all js into one file to reduce the number of requests
For example
Pages that need to load jquery, fckeditor and do not require thnikbox can use js=jquery, fckeditor
The code is very simple and the efficiency should be the same as loading a file directly
D8888D reply content------------------------------------------------- ----------
No matter how many js files there are on a page, they can only be scripted once
D8888D reply content------------------------------------------------- ----------
Do not include files uploaded by $_GET
PHP can include remote files