将重要的秘密密钥存储在php文件中 [英] Storing important secret keys in php files

问题描述

我们正在使用PHP和一些需要秘密API密钥的第三方服务来制作应用程序. 我们有一个PHP文件，其中包含所有这些键定义，然后在需要时导入(使用require_once).

We're making an app using PHP and using some third party services that require a secret API key. We have a PHP file that contains all those keys definitions that we then import (using require_once) when needed.

这种方法安全吗?我们应该将密钥存储在其他位置吗?

Is this approach safe? Should we store the keys in a different place?

谢谢.

推荐答案

Something similar was asked today for a shell script. The answer is valid here as well: Make sure you store the file outside the web root, or (if that's not possible) protect it using a .htaccess file.

我还喜欢 unset() 包含敏感数据的任何变量使用后，即使脚本后面的完整变量转储(例如在调试消息中)也无法显示出来.

I also like to unset() any variables containing sensitive data after use, so not even a full variable dump (e.g. in a debug message) later in that script could reveal it.

这篇关于将重要的秘密密钥存储在php文件中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！