我在PhP中创建了一个联系表单,将用户的电子邮件发送到“email.txt”文档。唯一的问题是任何人都可以在URL“example.com/email.txt”中看到该文档。
我的PHP代码如下所示:
<!DOCTYPE html>
<html>
<head></head>
<body>
<?PHP
$email = $_POST["emailaddress"];
$to = "email@example.com";
$subject = "New Email Address for Mailing List";
$headers = "From: $email\n";
$message = "A visitor to your site has sent the following email address to be added to your mailing list.\n
Email Address: $email";
$user = "$email";
$usersubject = "Thank You";
$userheaders = "From: email@example.com\n";
$usermessage = "Thank you for subscribing to our mailing list.";
mail($to,$subject,$message,$headers);
mail($user,$usersubject,$usermessage,$userheaders);
$fh = fopen("email.txt", "a");
fwrite($fh, $email);
fclose($fh);
?>
<html>
<body>
<table width="400" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
<div align="center">Thank You, Your Information Has Been Submitted</div>
</td>
</tr>
</table>
</body>
</html>
</body>
</html>
现在有人如何保护文件?
答案 0 :(得分:2)
移动文件,使其存在于HTTP服务器根目录 目录中。
e.g。我的服务器的目录结构类似于:
/hosts/example.com/apache # For server configuration files
/hosts/example.com/pages # For normal files to be served
/hosts/example.com/data # For data files (like the one you are talking about)
/hosts/example.com/logs # For log files
/hosts/example.com/stats # For reports generated from log files
或者(但复杂性增加),改为使用RDBMS。
或者(但如果配置中断,则存在更大的安全问题风险),请将服务器配置为拒绝具体访问该文件。例如在Apache中使用<Files>块和Allow/Deny指令。