如何使我的数据库连接安全? [英] How do I make my database connection secure?
问题描述
我目前正在为我教会的大学组织一个网站,我开始有点担心我写作的安全性。例如,我使用这个函数:
I'm currently working on a website for my church's college group, and am started to get a little worried about the security of what I'm writing. For instance, I use this function:
function dbConnect()
{
global $dbcon;
$dbInfo['server'] = "localhost";
$dbInfo['database'] = "users";
$dbInfo['username'] = "root";
$dbInfo['password'] = "password";
$con = "mysql:host=" . $dbInfo['server'] . "; dbname=" . $dbInfo['database'];
$dbcon = new PDO($con, $dbInfo['username'], $dbInfo['password']);
$dbcon->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$error = $dbcon->errorInfo();
if($error[0] != "")
{
print "<p>DATABASE CONNECTION ERROR:</p>";
print_r($error);
}
}
以连接到数据库某种。我总是使用PDO预准备语句来防止任何用户输入的SQL注入,我使用htmlspecialchars在输出之前转义。我的问题是这样:如何保护我的数据库的用户名和密码?我不知道是否有人可以查看我的PHP文件的源,但如果可以,我只能想象我会被淹死。我该怎么办?
to connect to the database whenever I do a query of some sort. I always use the PDO prepared statements to prevent SQL injection from any user input, and I use htmlspecialchars to escape before outputting. My question is this: How do I protect my username and password for my database? I don't know if someone can view the source for my PHP files, but if they could, I can only imagine I would be hosed. What do I do?
推荐答案
您应该将您的数据库凭据放在文档根目录外的文件中,
You should put your database credentials in a file outside of the document root, so if something messes up and your PHP gets shown to users un-parsed, no-one will be able to see your password.
解决方案很简单。将所有敏感数据放在Web服务器的文档根目录之外。许多专家现在主张将大多数(如果不是全部)PHP代码放在Web服务器的文档根目录之外。由于PHP不受限于Web服务器的相同限制,因此您可以在与文档根相同的级别创建一个目录,并将所有敏感数据和代码放在那里。
The solution is simple. Place all sensitive data outside of your web server’s document root. Many experts now advocate placing most, if not all, of your php code outside of your web server’s document root. Since PHP is not limited by the same restrictions are you web server, you can make a directory on the same level as your document root and place all of your sensitive data and code there.
这篇关于如何使我的数据库连接安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
