mysql / php是一个安全的方式连接到mysql DB？ [英] mysql/php is this a secure way to connect to mysql DB?

问题描述

好的，所以很多人提出这个问题，并且有很多方法，如何使数据库的安全连接，

Ok , so many people are asking this question, and there are many approaches on how to make the connection to DB secure,

现在我做了一些谷歌，很多建议，将连接到DB代码放在html_public之外的文件中，并在需要连接时从那里调用它。

Now I did some googling , many suggest, putting the connection to DB code in a file outside the html_public , and to call it from there when I need to make a connection.

说实话，虽然我不确定它是多么安全，

to be honest, am happy with what I have, though I'm not sure how secure it is,

这是我如何连接到数据库：

this is how I connect to the DB:

首先，我确保所有输入都完全转义并验证...

first, I make sure all inputs are fully escaped and validated...

之后，在同一页面中，我进行连接，例如：

after , in the same page , i make the connection, for example:

mysql_connect("localhost","Admin","Password") or 
die ("DB Connection Error");
mysql_select_db("Users") or die ("DB Error");

而其余的代码之后，我关闭mysql连接。

and the rest of the code after, I close the mysql connection.

现在，只是DB用户信息写在页面上感觉不对，但是有人（黑客）怎么能得到这个信息呢？

Now , It just don't feel right that the DB user info are written in the page, but how can someone (a "hacker") , get this info?

我的意思是，所有输入都完全转义和验证，我使用的用户有非常有限的前途，比如选择和更新...。

I mean , all inputs are fully escaped and validated, the users I use have very limited previleges, like select and update... only.

这是安全吗？

非常感谢您提供的帮助：）

Thank you very much for ur help in advance :)

shady

推荐答案

您应该考虑将此文件放在Web根目录之外的原因是某些托管服务提供商暂时停止不时解释PHP（由于配置错误，通常在更新后）。

The reason you should consider putting this file outside the web root is that some hosting providers have temporarily stopped interpreting PHP from time to time (due to configuration faults, often after an update on their part). The code will then get sent in clear text and the password will be out in the wild.

考虑这个目录结构，其中 public_html 是网页根目录：

Consider this directory structure, where public_html is the web root:

/include1.php
/public_html/index.php
/public_html/includes/include0.php

现在考虑这 index.php ：

<?php
include('includes/include0.php');
do_db_work_and_serve_page_to_visitor();
?>

如果Web服务器在打开状态下开始提供此文件，则不需要很长时间以下载 include0.php 。没有人能够下载 include1.php ，因为它位于网络根目录之外，因此从未由网络服务器处理。

If the web server starts serving this file in the open, it won't take long before someone tries to download include0.php. Nobody will be able to download include1.php, however, because it's outside the web root and therefore never handled by the web server.

这篇关于mysql / php是一个安全的方式连接到mysql DB？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！