数据库安全问题 [英] Database Security Issues
问题描述
我正在帮助某人创建一个在线数据库。一切都很好,很好
除了一个问题。这是:
为了提供与数据库的连接,我创建了一个名为
database.php的文件,该文件只能由Apache网络服务器。
包含以下内容:
<?php
功能database(){
$ db = mysql_connect(" localhost"," mtlstats",/ *密码* /);
mysql_select_db(" mtlstats", $ db);
返回$ db;
}
?>
我很快意识到即使没有人能够从
文件中读取密码,也没有什么能阻止其他人在我的网站上拥有帐户
服务器,包括这个将文件存入他们自己的PHP脚本之一,并且
劫持数据库。因此我做了一个更改,因此当从/ mtlstats目录中的文件调用时它只会工作。
该文件现在如下所示:
<?php
函数database(){
if(strpos($ PHP_SELF," / mtlstats /")=== 0){
$ db = mysql_connect(" localhost"," mtlstats",/ *密码* /);
mysql_select_db(" mtlstats",$ db);
返回$ db;
}
返回NULL;
}
?>
不幸的是,我发现虽然$ PHP_SELF通常会返回
服务器正在处理的文件的名称,当从
函数中调用时,由于某种原因它返回NULL。任何人都可以建议使用
替代方法来纠正这个问题吗?
任何帮助都将不胜感激。
-
Jonathan Lamothe
Anime Void的创始人。
http://ani-void.cjb.net
I''m helping someone to create an online database. All is fine and good
except for one problem. Here it is:
In order to provide connectivity to the database, I''ve created a file called
database.php which is readable only by the Apache web server.
It contained the following:
<?php
function database() {
$db = mysql_connect("localhost", "mtlstats", /* the password */);
mysql_select_db("mtlstats", $db);
return $db;
}
?>
I quickly realized that even though nobody could read the password from the
file, there was nothing preventing the other people with accounts on my web
server, from including this file into one of their own php scripts, and
hijacking the database. I therefore made a change, so that it would only
work when called from a file in the /mtlstats directory.
The file now reads as follows:
<?php
function database() {
if(strpos($PHP_SELF, "/mtlstats/") === 0) {
$db = mysql_connect("localhost", "mtlstats", /* the password */);
mysql_select_db("mtlstats", $db);
return $db;
}
return NULL;
}
?>
Unfortunately, I''ve discovered that although $PHP_SELF normally returns the
name of the file being processed by the server, when called from within a
function, it returns NULL for some reason. Can anyone suggest an
alternative means of correcting this problem?
Any assistance would be greatly appreciated.
--
Jonathan Lamothe
Founder of the Anime Void.
http://ani-void.cjb.net
推荐答案
db = mysql_connect(" localhost"," mtlstats",/ *密码* /);
mysql_select_db(" mtlstats",
db = mysql_connect("localhost", "mtlstats", /* the password */);
mysql_select_db("mtlstats",
db);
返回
db);
return
db;
}
?>
我很快意识到即使没有人能从
文件中读取密码,也没有什么可以阻止其他人在我的网站上拥有帐户
服务器,包括这个文件变成了自己的php脚本之一,并且哄骗了数据库。因此我做了一个更改,因此当从/ mtlstats目录中的文件调用时它只会工作。
该文件现在如下所示:
<?php
函数数据库(){
if(strpos(
db;
}
?>
I quickly realized that even though nobody could read the password from the
file, there was nothing preventing the other people with accounts on my web
server, from including this file into one of their own php scripts, and
hijacking the database. I therefore made a change, so that it would only
work when called from a file in the /mtlstats directory.
The file now reads as follows:
<?php
function database() {
if(strpos(
这篇关于数据库安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!