如何保护我的passwords.php文件 [英] How to secure my passwords.php file

问题描述

我有一个passwords.php文件，其中包含我的root密码，用户名和其他机密信息.我已将此文件放置在我的"include"目录中.但是我认为那是不安全的.有人告诉我，您可以通过以下任一方法保护此文件的安全性

-将此文件移出根目录或
-使用.htaccess技术.

我不知道其中哪一个更安全.我不知道该如何使用这些方法.有人可以指导我使用哪个密码保护我的passwords.php文件以及如何使用吗?

I have a passwords.php file which contains my root password, username and other secret information. I have placed this file in my "include" directory. But I think it is not secure there. Some one told me that you can secure this file by either

- putting this file out of the root directory OR
- using .htaccess technique.

I don''t know which one of them is more secure. I don''t know how to use any of these method. Can some one guide me which of them should I use to secure my passwords.php file and how to use?

推荐答案

无论您自己对文件本身的保护程度如何，永远不要存储任何密码. PHP特别容易受到攻击:如果您的PHP脚本可以读取文件，则HTTP客户端原则上可以访问该文件.风险不是很高(特别是文件名对客户端完全隐藏了)，但仍应视为风险.

您可以始终以加密形式存储密码.您不需要密码本身.另外，常见的做法是:包括系统管理员在内，任何人都不应该知道任何人的密码；这是唯一合理的政策.

执行身份验证时，应始终将加密密码与存储的加密密码进行比较，而不要与原始密码进行比较.详细信息取决于您使用的加密技术.

—SA

No matter how well you secure the file itself, never store any passwords. PHP is particularly vulnerable: if you PHP script can read the file, it is in principle accessible to the HTTP client. The risk is not so high (in particular, the file name is completely hidden from the client) but still should be considered as risk.

You can always store passwords in ciphered form. You never need password itself. Also, the common practice is: nobody should know anyone''s passwords, including system administrators; this is the only reasonable policy.

When you perform authentication, you should always compare the ciphered password with the stored ciphered password, never the original passwords. The details depend on the ciphering technology your use.

—SA

加密php文件代码，您可以从网上获得许多加密者，只需加密该php文件并使用

Encrypt the php file code , you can get many encripter from net , just encrypt that php file and use

这篇关于如何保护我的passwords.php文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！