Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
PO6OT2015-04-04 17:43:48
PHP
PO6OT, 2015-04-04 17:43:48

There is a technology to prevent the execution of malicious php code. Refine. Do you have any other ideas or comments?

No php files can be executed on the site due to the fact that they cannot be accessed via http (written in htaccess). Access via http is allowed only to one file - index.php. The only way to execute a php file is if index.php includes it. index.php includes any file on the server, the path to which is passed to it by the global variable $_GET[p].
Let's assume that we passed the $_GET[p] argument to the index.php file with the value "./script.php".
Then, to avoid executing malicious code, index.php will check script.php for the presence of such before including it. It will copy the contents of script.php into the $script variable, remove all escaping functions from the variable, and check $script with preg_match() for lines that might delete or change important files. If malicious code is found, then index.php will not include script.php.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
D
dxRange, 2015-04-04
@woonem

1. The php code validator on php consists of one line - error_reporting(E_ALL | E_STRICT), better not yet invented.
2. It is necessary to lock the file for writing only at the level of system software with sufficient rights, and, accordingly, with limited execution rights, and not in any way "to detect lines of code in the file that change such and such a file." Even if we filter all the file writing / deleting functions in the code, I can suggest two workarounds:
a) unpacking the loaded archive with the replacement of the "untouchable" file.
b) execution of any reversibly-encrypted piece of code with a key (do not filter with anything).

Report
F
FanatPHP, 2015-04-04
@FanatPHP

They say the truth - one fool will put ten wise men to a standstill.
Garbage from this head must be taken out by wagons.
Are you, for an hour, not from this unfortunate team?

Report
P
phpus, 2015-04-04
@phpus

What kind of nonsense? Recently, there have been a lot of drug addicts on the toaster ..

Similar questions
G
GPK19292015-10-25 17:05:22
How to parse a phone number? 3Reply
I
Igor Roschak2015-10-25 17:21:34
Which CMS to use for a car sales website? 3Reply
D
Danil Ochagov2018-02-28 22:10:21
Headers already sent by how to solve? 1Reply
S
scottparker2020-04-30 02:21:11
How to fix error when running php script via terminal? 1Reply
P
parger2020-04-30 03:02:04
How to fix "A non-numeric value encountered" error? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question