如何存储数据库连接信息是安全的? [英] How to store db connect information is secure?

问题描述

我开发了一个php应用程序，并且我有一个config.php，它存储了应用程序之间的不断使用，在此文件中，它包含了所有重要信息，例如Mysql服务器地址，端口号，用户名和密码.我担心有人可以获取该文件，并且执行我不想要的操作，如何保护此文件?谢谢.

I developed a php application, and I have a config.php , which store the constant use among the application, in this file, it included all the important information, such as the Mysql server address, port number, user name and passwords. I am worry about someone can get the file, and do something that I don't want, how can I protect this file? Thank you.

推荐答案

• 实践一般良好的密码安全性(不要使用字典单词等)
• 按照惯例，使用.php扩展名命名文件是一种很好的做法，因为这样一来，Web服务器就不太可能被欺骗以纯文本格式提供文件.
• 确保config.php存储在Web根目录之外.这意味着，如果您的服务器配置出现问题，并且开始以纯文本格式提供PHP文件，则不会泄漏数据库密码(因为没有人能够请求config.php).
• 确保数据库凭据是适当命名的常量，而不是变量.这使得您不太可能以某种方式不恰当地使用它们(例如，如果密码是$password而不是DB_PASSWORD，则可能会对全局范围内的$password变量进行某些操作，而忘记了它的使用情况-不太可能，但可能性很小).
• Practice general good password security (don't use dictionary words etc)
• It is good practice to name the file with a .php extension, as you have done, because then the web server is unlikely to be tricked into serving the file as plaintext.
• Make sure config.php is stored outside of web root. That means that if something were to go wrong with your server configuration and it started serving PHP files up as plaintext, you wouldn't leak your database password (because no-one would be able to request config.php).
• Make sure the database credentials are appropriately-named constants, rather than variables. This makes it less likely that you might somehow use them inappropriately (for example, if the password was $password rather than DB_PASSWORD you might do something with the $password variable in the global scope, forgetting that it's in use - unlikely, but a small possibility).

这篇关于如何存储数据库连接信息是安全的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！