服务器上的 PHP 源代码安全 [英] PHP source code security on server

问题描述

我是 PHP 新手，有一个 php 安全问题.有人可以获得在默认配置下在服务器上运行的 php 脚本文件的源代码吗?如果是这样，最好的保护方式是什么?我问这个是因为当我从网站请求一个页面时我碰巧下载了一个 php 文件以及是什么引发了我的担忧.我认为 apache 配置可能是错误的，并将该文件像一个简单的文件一样提供给我，但我不确定.另外，保存敏感"数据(例如数据库或 smtp 配置)的最佳位置是什么?

I am a PHP newbie and a have a php security question. Is it possible for somebody to get the source code of a php script file running on a server with default configuration? If so, what is the best way to be protected? I am asking this because I happened to download a php file when I requested a page from a site and what triggered my concerns. I think that maybe apache configuration was wrong and served that file to me like a simple file but I am not sure. Also what is the best place to keep "sensitive" data such as database or smtp configuration?

谢谢，亚历克斯

推荐答案

对于最敏感的信息，我建议将其放在 Web 根文件夹之外，并通过require"或include"包含它.这样，即使某些配置在服务器上被搞砸了，访问者也只会得到include('secret_stuff.php');"这一行.而不是实际的脚本.

For the most sensitive information, I'd suggest putting it outside of your web root folder, and including it through "require" or "include". This way, even is some configuration gets botched on the server, the visitor will only get served the line "include('secret_stuff.php');" and not the actual script.

这篇关于服务器上的 PHP 源代码安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！