数据库密码安全 [英] Database password security

问题描述

为什么建议在

服务器上的公共可访问网站之外放置包含

登录名和密码详情的脚本。

当然，如果包含详细信息的文件被赋予了php扩展名

那么没有人可以获得这些文件所包含的信息，如果他们指出他们的话浏览器直接在正确的命名文件，

，因为apache会在发送之前解析php文件。


ie


如果文件名为options.php并且它位于web根目录

目录中并包含以下内容; -


<？php


define（''DBUSER''，''Username''）;

define（''DBPASS''，''Password123''）;


？>


如果网络用户将浏览器直接指向此页面，他们将获得
空白页 - 是否有其他方式可以访问

con我正在俯瞰这个文件的帐篷吗？


tia

smartbloke

解决方案

< blockquote> SmartBloke写道：

当然，如果包含详细信息的文件被赋予了php扩展名
那么没有人可以获得这些文件所包含的信息甚至因为apache会在发送之前解析php文件。

升级过程中sysadmin，或者你，在你的服务器上不小心

忘了将LoadModule指令放在apache.conf中，比如说一小时

左右。

在那个小时内，您网站的任何访问者都会使用

源代码处理您的页面，包括所有数据库架构信息，

密码等。


即使只有5分钟，至少有一个人必然会看到

敏感信息。将它保存在公共

可访问目录中会更安全。


-

Jasper Bryant-Greene

白菜促销

.oO（SmartBloke）

为什么放置哪些脚本是可取的包含
服务器上可公开访问的Web区域之外的
登录名和密码的详细信息。


建议将_all_脚本放在文档根目录之外：


*没有人能够从外部调用它们。

*没有人能够脱离上下文调用脚本，这可能导致

奇怪的结果和错误消息。

*你不喜欢不必担心文件扩展名，不必一直使用

.php。

当然，如果包含详细信息的文件都给了php扩展
然后，如果他们将浏览器直接指向正确的命名文件，那么没有人可以获取这些文件所包含的信息，因为apache会在发送之前解析php文件。

我不太确定。服务器总是可能

忘记解析文件（配置错误，维护......）。


Micha

文章< e6 ** ******************************@4ax.com> ;, Michael Fesser写道：

.oO （SmartBloke）

为什么建议将包含
登录名和密码详情的脚本放在
服务器上可公开访问的网页之外。

建议将_all_脚本放在文档根目录之外：


不，不是。尽管如此，我认为不会在公共区域放置包含

凭证的文件。


*没有人可以从外面打电话给他们。


如果从外面调用脚本是不可能或不需要的，为什么

首先会有脚本？因为我们希望人们给b $ b调用一些脚本。 （那些我们不想让他们打电话的，我们不应该把b
公开）


*没有人能够脱离上下文调用脚本，这可能会导致奇怪的结果和错误消息。


实际上，这完全取决于脚本的设计方式。如果他们

设计得很好，他们就会知道什么时候会被执行

（当他们应该将controll发送到另一个脚本时）。


但是关于他们的背景知识和

他们所在的地方（公共区域与非公共区域）之间没有关系


*您不必担心文件扩展名，也不必一直使用
.php。

再次，公共和非公共领域都是如此。因此，没有一个好的理由将它们放在公共区域之外。


-

Tim Van Wassenhove< http ：//home.mysth.be/~timvw>

Why is it advisable to place scripts which contain details of your
login and password outside of the publicly accessible web area on your
server.
Surely if the files that contain the details are given a php extension
then no-one can get at the information contained by these files even
if they point their browsers directly at the correct named file,
because apache will parse the php file before it is sent.

i.e.

if the file is called options.php and it resides in the web root
directory and contains the following ;-

<?php

define(''DBUSER'', ''Username'') ;
define(''DBPASS'', ''Password123'') ;

?>

If a web user points their browser directly at this page they will
just get a blank page - is there another way of gaining access to the
contents of this file that I am overlooking ?

tia
smartbloke

解决方案

SmartBloke wrote:

Surely if the files that contain the details are given a php extension
then no-one can get at the information contained by these files even
if they point their browsers directly at the correct named file,
because apache will parse the php file before it is sent.

During an upgrade a sysadmin, or you, on your server accidentally
forgets to put the LoadModule directive in apache.conf, say for an hour
or so.

During that hour any visitors to your website are treated with the
source code to your page, including all database schema information,
passwords, etc.

Even if it''s only 5 minutes, at least one person is bound to see the
sensitive information. It''s just safer to keep it out of the publicly
accessible directories.

--
Jasper Bryant-Greene
Cabbage Promotions

.oO(SmartBloke)

Why is it advisable to place scripts which contain details of your
login and password outside of the publicly accessible web area on your
server.
It''s advisable to put _all_ scripts outside the document root:

* No one is able to call them from the outside.
* No one is able to call scripts out of context, which may lead to
strange results and error messages.
* You don''t have to worry about filename extensions, don''t have to use
.php all the time.
Surely if the files that contain the details are given a php extension
then no-one can get at the information contained by these files even
if they point their browsers directly at the correct named file,
because apache will parse the php file before it is sent.

I wouldn''t be too sure about that. It''s always possible that the server
"forgets" to parse a file (configuration error, maintenance, ...).

Micha

In article <e6********************************@4ax.com>, Michael Fesser wrote:

.oO(SmartBloke)

Why is it advisable to place scripts which contain details of your
login and password outside of the publicly accessible web area on your
server.

It''s advisable to put _all_ scripts outside the document root:
No it''s not. Allthough i see reasons not to put files containing
credentials in a public area.

* No one is able to call them from the outside.
If it was impossible or unwanted to call scripts from the outside, why
would there be scripts in the first place? Because we want people to
call some scripts. (And those we don''t want them to call, we should not
make public)

* No one is able to call scripts out of context, which may lead to
strange results and error messages.
Actually, this depends totally on how the scripts are designed. If they
are well-designed, they will know when they are expected to be executed
(and when they should dispatch controll to another script).

But there is no relationship between knowledge about their context, and
the place where they are (public vs non-public area)

* You don''t have to worry about filename extensions, don''t have to use
.php all the time.

Again, this is true for both public as non-public areas. And thus not a
good reason to put them outside the public area.

--
Tim Van Wassenhove <http://home.mysth.be/~timvw>

这篇关于数据库密码安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！