共享主机上安全的MySQL密码 [英] Safe MySQL password on shared hosting
问题描述
我为在MySQL数据库上运行的商业客户创建了一个简单的网页,主要由我们的B2C Prestashop电子商店使用。我们正在使用共享主机。这个网站主要基于jQuery jTable(jtable.org),旨在显示当前的近似产品库存。
I've made a simple web page for business clients that operates on MySQL database used mainly by our B2C Prestashop based e-shop. We're using shared hosting. This website is mostly based on jQuery jTable (jtable.org) and is meant to show current, approximate stock of products.
我使用过jQuery jTable'start pack'并为我们的合作伙伴创建了一个简单的前端视图。
它看起来或多或少像jTable教程中的那个:
I've used jQuery jTable 'starter pack' and created a simple front-end view for our partners. It looks more or less like the one in jTable tutorial:
$(document).ready(function () {
//Prepare jTable
$('#PeopleTableContainer').jtable({
title: 'Product Availability',
actions: {
listAction: 'someconfigfile.php?action=list',
},
fields: {
column1: {
title: 'column1',
width: '70%',
key: true
},
column2: {
title: 'column2',
width: '30%'
}
}
});
//Load person list from server
$('#PeopleTableContainer').jtable('load');
});
因为我只想显示我在MySQL数据库中的数据,所以我准备了只读用户我正在使用他的凭据访问数据库。正如jQuery脚本中所见,我通过someconfigfile.php和'list'操作访问数据库。
As I only want to show data I have in MySQL database, I've prepared read-only user and I'm using his credentials to access database. As seen in jQuery script, I'm accessing database through someconfigfile.php and 'list' action.
someconfigfile.php包含MySQL连接字符串以及我的SQL查询在前端视图中填充表。我出于安全目的要做的是将someconfigfile.php放在我的public_html文件夹上的目录中。包含前端HTML,PHP和CSS文件的文件夹将保持在public_html之下。
The someconfigfile.php includes MySQL connection string and also my SQL query for populating the table in front-end view. What I want to do for security purposes is to put someconfigfile.php in directory above my public_html folder. Folder containing HTML, PHP and CSS files for front-end will stay below public_html.
我的问题是:
- 如果我把密码放在public_html之上,我的密码是否可供任何人访问?我的整个前端代码是上面的jQuery jTable。
- 如果我只使用mysql_fetch_assoc($ result)获取数据然后打印数组()的json_encode,我是否容易受到SQL注入攻击?用户无法在此处输入任何数据。
编辑:请注意,从jTable CRUD函数我只留下了Read选项。创建,更新和删除选项已被删除。
Please also note that from jTable CRUD functions I've only left Read option. Create, Update and Delete options have been removed.
推荐答案
我不确定这是如何工作的,因为我没有尝试过它,但是前几天才知道它,所以我想我会分享。
I'm not sure how this works really as I haven't tried it, but learned about it the other day so I thought I'd share.
使用GoDaddy,你可以将你的主域名指向一个子目录,从而创建可以说是一个新的文档根目录。对于其他主机可能不是这种情况,但值得检查。
With GoDaddy, you can point your primary domain name at a sub-directory, therefore creating a new document root before it, so to speak. This may not be the case for other hosts but worth checking.
例如,在根目录中创建一个名为application的新目录,在那里上传应用程序的文件,将您的主域指向那里(您可能需要先删除域名,然后再次使用指定的目录添加域名)。然后,您可以在新文档根目录之前包含文件(例如您的数据库凭据),该文档现在不向公众提供,但可供您的应用程序使用。
For example, create a new directory called 'application' in your root directory, upload your application's files there and point your primary domain there (You may need to remove the domain name first and then add it again with the specified directory). You can then include files - your database credentials for example - from before your new document root, which is now not available to the public but available to your application.
新结构
DB凭证:
/home/www/html/someSite/dbCredentials.php
您的网站(现在指向主域名) :
Your Website (where primary domain is now pointed):
/home/www/html/someSite/application/index.php
示例:
在dbCredentials.php中添加您的凭据:
In dbCredentials.php add your credentials:
<?php
$strHostName = "10.10.10.10";
$strDbName = "dbname";
$strUserName = "dbuser";
$strPassword = "xxx***xxx";
?>
在您的网页上,包括文件并正常使用变量:
On your web page, include the file and use variables as normal:
<?php
require_once ('/home/www/html/someSite/dbCredentials.php');
$db_found = new PDO("mysql:host=$strHostName..........);
?>
消息来源:
如果您尝试一下,请告诉我它是怎么回事。
If you try it, let me know how it goes.
这篇关于共享主机上安全的MySQL密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
