将密码以纯文本格式存储在php变量或php常量中是否可行? [英] Is it ever ok to store password in plain text in a php variable or php constant?

问题描述

每个问题，将密码存储在php页面(例如

As per question, is it safe to store passwords on php pages such as

$password = 'pa$$w0rd';

如果用户看不到它，那是安全的，对吧?

If the users can't see it, it's safe, right?

有人实际上建议使用哈希，但是，数据库服务器连接密码会出现问题，不是吗?

Some people actually suggested using hash, however, there would be a problem with database server connection password, wouldn't it?

推荐答案

最简单的答案是否"，而且要视情况而定.

The short answer is both No, and It Depends.

如果出于简单的服务器错误配置或错误位置的回显可能导致否的其他原因，将密码以纯文本格式存储(尤其是在可访问Web的位置)几乎不是一个好主意.走向世界.

It's almost never a good idea to store passwords in plain text, especially in a web accessible location, if for no other reason than a simple server misconfiguration or an echo in the wrong place could expose it to the world.

如果必须存储密码(可能的话)，则可以尝试将其存储在webroot之外，例如 /var/www/public_html/将您的编解码器放在此处
/var/www/includes/在此处输入密码

If you MUST store a password, (which is possible) you could try to store it outside the webroot, eg /var/www/public_html/ Put your codez here
/var/www/includes/ Put your passwords here

最好的办法是让您需要密码的系统(例如数据库包装器)返回已实例化的对象.因此，您无需请求$databasepassword而是需要一个PDO对象，并将数据库类存储在webroot之外.

Even better than that would be to have the system that you need the password for (eg a database wrapper ) return an object already instantiated. so rather than asking for $databasepassword you ask for a PDO object, and store your database classes outside the webroot.

取决于"来自哪些攻击媒介会导致某人有权访问该密码文本，并要求它们已经位于您的文件系统中，如果是这样，您可能还是被搞砸了.

The It Depends comes from what attack vectors would cause someone to have access to that password text, and would it require them to be already inside your filesystem, if so, you're probably screwed anyway.

此外，如果其密码是您的超秘密订户内容的密码，那么，您所丢失的只是一些订阅费用，如果它是您的数据库，则可能有问题，如果这是您的网上银行详细信息，那么对你.

Also, if its the password to your supa-secrit subscriber content, meh, all you've lost is some subscription fees, if its your database, you may have a problem, if it's your online banking details, um good for you.

密码保护的东西有多有价值?

How valuable is the thing the password is protecting?

这篇关于将密码以纯文本格式存储在php变量或php常量中是否可行?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！