将重要的秘密密钥存储在php文件中 [英] Storing important secret keys in php files
问题描述
我们正在使用PHP和一些需要秘密API密钥的第三方服务来制作应用程序. 我们有一个PHP文件,其中包含所有这些键定义,然后在需要时导入(使用require_once).
We're making an app using PHP and using some third party services that require a secret API key. We have a PHP file that contains all those keys definitions that we then import (using require_once) when needed.
这种方法安全吗?我们应该将密钥存储在其他位置吗?
Is this approach safe? Should we store the keys in a different place?
谢谢.
推荐答案
Something similar was asked today for a shell script. The answer is valid here as well: Make sure you store the file outside the web root, or (if that's not possible) protect it using a .htaccess
file.
我还喜欢 unset() 包含敏感数据的任何变量使用后,即使脚本后面的完整变量转储(例如在调试消息中)也无法显示出来.
I also like to unset() any variables containing sensitive data after use, so not even a full variable dump (e.g. in a debug message) later in that script could reveal it.
这篇关于将重要的秘密密钥存储在php文件中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!