可以将密码以纯文本形式存储在 php 变量或 php 常量中吗? [英] Is it ever ok to store password in plain text in a php variable or php constant?

问题描述

根据问题，在诸如

$password = 'pa$$w0rd';

如果用户看不到它，那就是安全的，对吧?

If the users can't see it, it's safe, right?

居然有人建议用hash，但是，数据库服务器连接密码会有问题，不是吗?

Some people actually suggested using hash, however, there would be a problem with database server connection password, wouldn't it?

推荐答案

简短的回答是否定的，视情况而定.

The short answer is both No, and It Depends.

以纯文本形式存储密码几乎从来都不是一个好主意，尤其是在网络可访问的位置，如果除了简单的服务器配置错误或错误位置的回声之外没有其他原因可能会暴露它走向世界.

It's almost never a good idea to store passwords in plain text, especially in a web accessible location, if for no other reason than a simple server misconfiguration or an echo in the wrong place could expose it to the world.

如果您必须存储密码(这是可能的)，您可以尝试将其存储在 webroot 之外，例如/var/www/public_html/ 把你的代码放在这里
/var/www/includes/ 把你的密码放在这里

If you MUST store a password, (which is possible) you could try to store it outside the webroot, eg /var/www/public_html/ Put your codez here
/var/www/includes/ Put your passwords here

比这更好的是让您需要密码的系统(例如数据库包装器)返回一个已经实例化的对象.因此，与其要求 $databasepassword，不如要求 PDO 对象，并将数据库类存储在 webroot 之外.

Even better than that would be to have the system that you need the password for (eg a database wrapper ) return an object already instantiated. so rather than asking for $databasepassword you ask for a PDO object, and store your database classes outside the webroot.

这取决于哪些攻击媒介会导致某人访问该密码文本，并且是否要求它们已经存在于您的文件系统中，如果是这样，无论如何您都可能被搞砸了.

The It Depends comes from what attack vectors would cause someone to have access to that password text, and would it require them to be already inside your filesystem, if so, you're probably screwed anyway.

另外，如果它是你的超级秘密订阅者内容的密码，嗯，你失去的只是一些订阅费，如果是你的数据库，你可能有问题，如果是你的网上银行详细信息，嗯你.

Also, if its the password to your supa-secrit subscriber content, meh, all you've lost is some subscription fees, if its your database, you may have a problem, if it's your online banking details, um good for you.

密码保护的东西有多大价值?

How valuable is the thing the password is protecting?

这篇关于可以将密码以纯文本形式存储在 php 变量或 php 常量中吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！