为什么要将MySQL凭据放在www目录之外? [英] Why put MySQL credentials outside of www directory?

问题描述

可能重复:
将核心类放在网络根上方-好的还是不好的主意?

Possible Duplicate:
Putting core classes above the web root - good or bad idea?

我一直在阅读，最好的做法是将MySQL连接凭据(无论是类，定义等)放置在Web根目录(www文件夹上方)之外.

I keep reading that it's a best practice to put MySQL connection credentials (whether it's a class, defines, etc..) outside of the web root (above the www folder).

这是为什么?如果凭据位于.php文件中，则可以通过浏览器访问该文件并不重要，对吧?

Why is this? If the credentials are in a .php file then it doesn't matter if the file is accessible through the browser, right?

推荐答案

这是一种预防措施.如果有人不小心在您的apache服务器中禁用了php评估或更改了.htaccess文件中的apache设置，则该文件可以像任何纯文本文件一样被提供.或者，如果您不小心忘记了php start标记，它将像纯文本一样重新生成.并不是说您会犯这样一个愚蠢的错误，但是也许将来的新手使用您的代码可能会犯一个错误.

It's a preventative measure. If someone accidently disables php evaluation in your apache server or changes an apache setting in an .htaccess file, the file could be served up like any plain text file. Or, if you accidently forget a php start tag, it would be redenerd like plain text. Not that you'd make such a dumb mistake, but maybe a future newbie working on your code might make a mistake.

为什么要阻止可能的矢量打开，为什么呢?只需听取用自己的脚(或像我一样，用双脚和一只手射击)的其他人的建议，然后将凭据移到您的文档根之外即可.

Why leave a possible vector open when you can prevent it from ever being possible? Just take the advice of others who have shot their own foot (or like me, shot both feet and a hand) and move the credentials outside your docroot.

这篇关于为什么要将MySQL凭据放在www目录之外?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！