在PHP常量和安全性中存储数据库凭据 [英] Storing database credentials in PHP constans and security
问题描述
我以前将数据库凭据存储在这样的PHP文件中:
I used to store my db credentials in a PHP file like this:
<?php
define('HOST', 'localhost');
define('USER', 'db_user');
define('PASS', 'user_pass');
define('DB', 'database');
?>
我使用常量,但在最近的项目中,一位PHP编码人员表示将db凭据存储到常量中不安全。我不明白我试图找到一些信息,但是对此一无所获。
I use constants but in a recently project, one of the PHP coders said that storing db credentials into constants wasn't secure. I don't get it. I tried to find some information but nobody says nothing about this.
将数据库凭据存储到PHP常量中是否存在安全隐患?
Is there any security risk in storing db credentials into PHP constants?
推荐答案
唯一的风险是如果您在文档根目录下有定义。在这种情况下,如果服务器配置出了点问题,并且人们可以看到您的PHP代码,则常量(以及数据库凭据)将被公开。
The only risk is if you have the definitions under the document root. In that case, if something goes wrong with your server configuration and people can see your PHP code, the constants (and thus database credentials) will be exposed.
最安全一种方式(据我所知)是将凭据作为仅限于root用户的服务器环境的一部分。然后,开发人员可以使用 _SERVER ['db_user'] 等。这可能更加安全,因为可以访问实际数据库凭据的人员受到限制。它还使您可以灵活地根据服务器使用不同的凭据(例如,开发与生产)。但是,您可以使用 phpinfo(), var_dump($ _ SERVER)等查看所有服务器环境变量,因此您必须注意不要上传此类内容。
The most secure way (that I know of) is to have the credentials as part of the server environment that is restricted only to root. Then, developers can use _SERVER['db_user'], etc. This is potentially more secure in that the people who have access to the actual DB credentials are more limited. It also gives you the flexibility to use different credentials depending on the server (development vs. production, for example). However, you can see all server environment variables with phpinfo(), var_dump($_SERVER), etc. so you have to take care not to upload such things.
这篇关于在PHP常量和安全性中存储数据库凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
