服务器配置错误

安全风险是，万一网络服务器无法执行 php 文件(因为配置被重置)，它的源代码将作为纯文本显示在浏览器中.你可能想防止这种情况发生.

Server misconfiguration

The security risk is, in case the web server fails to execute the php file (because configuration was reset), it's source-code will be displayed inside the browser as plain text. And you probably want to prevent that.

在这种情况下，另一个问题是，例如，如果文件实际上对您的数据库数据进行了某些操作，则即使没有任何直接输出调用该文件也会对间接输出产生影响.这通常也是不需要的.

Next to that scenario, another problem is, if the file actually does something with your database data for example, calling the file even w/o any direct output will have influence of indirect output. This is normally unwanted as well.

在您的情况下，它甚至会发送电子邮件，因此可以使用直接请求来发送电子邮件.这也可能是不需要的.

In your case it sends an email even, so direct requests can be used to send emails. That is probably unwanted as well.

更不用说这可能会导致您的东西被渗透了.并不是说这是唯一可能的地方，但您应该保持表面较小.

Not to mention the risks this can have in getting your stuff penetrated. Not that this would be the only place where it is possible, but you should keep the surface small.

然而，***的方法是将应用程序代码存储在 webroot 之外，这样直接 HTTP 请求就永远无法访问这些文件.

The best approach however is to store the applications code outside of the webroot, so that those files are never accessible by a direct HTTP request.