1

I am replacing an existing very old site written in another lang with a newly-coded php site and I need to double-check a couple of things with respect to security. Website will be running on Windows 2008 R2 using IIS 7.5 and running php 5.3.8.

I am storing db login creds in a file outside of web root. But in my php code I have to include those files and I am using an absolute path. Will php and/or IIS strip out the file path. (I imagine the answer is yes since competing technologies would do likewise, but need to be sure on this and couldn't find the answer.)

On a related point, what is the best place to keep .js files? Is it better security-wise to keep them outside of web root?

Sorry for the basic questions, but am new to php (long time programmer in other langs).

4

2 回答 2

0

我进行了一系列测试,查看了 php 和网络服务器返回的内容的来源。如果您使用 php 命令“require c:\abc\file.php”,则 html 不会返回任何信息。

但是,会显示 .js 文件的路径。这是因为它位于 html 中,而不是 php,因此该路径不会被 php 或网络服务器剥离。

所以从这里我想我可以有把握地说: 1. creds 的路径不会显示在返回给浏览器或 curl 调用或其他任何内容的 html 源中。2. js 和 css 路径是公开显示的,因此值得考虑是否需要保护这些路径(例如,单独的子域或类似的)。

于 2013-09-07T21:21:55.870 回答
0

好吧,php 与 ASP 不同,所以我的建议是为 js/css 创建一个子域,你甚至可以将其命名为CDN ...但是,它仍然比从根目录更好。

于 2013-09-05T20:18:28.743 回答