安全存储数据库凭据 [英] Secure storage of database credentials
问题描述
最近有一个主要的问题,我的网站托管公司搞砸了,我所有的php文件以纯文本显示。这是一个主要问题对我来说明显的原因。主要是因为mysql数据库的细节暴露了。
我现在正试图改变我的php文件获取数据库的登录信息的方式,这样即使主机公司失败了我也不会再发生。
我目前的设定如下:
include'info .php';
类登录{
var $ host;
var $ username;
var $ password;
var $ db;
var $ url;
info.php里面是数据库的用户名,密码等。我想要这样使得info.php文件永远不能被查看,只有我的.php文件能够访问info.php为了获得登录信息。
如何设置?这是一个棘手的一个对我来解释,请不要苛刻和-1我的错误描述。只是问我,我会清除我的描述中的任何差距。
只需将 info.php 这种方式,你可以包括它,但如果你的web托管f *#$ up,没有人可以查看该文件,即使是纯文本。
包括它像这样:
include('../ info.php');
这样,即使有人发现您有一个名为 info.php 的文件来存储您的所有密码,浏览器到该文件。
上述是最理想和最不透水的解决方案。但是,如果由于权限不可能,另一个选项是将所有敏感文件放在一个目录中,并使用 .htaccess 文件阻止对该目录的直接访问。
在您要禁止访问的目录中,放置一个包含以下内容的 .htaccess 文件: / p>
拒绝所有
Had a major problem recently where my web hosting company messed up and all my php files were displayed in plain text. This was a major issue for me for obvious reasons. Mainly because mysql database details were exposed.
I am now trying to change the way in which my php files get the login information for the database so that this will never happen again even if the hosting company fail me.
my current set up looks like this :
include 'info.php';
class Login {
var $host;
var $username;
var $password;
var $db;
var $url;
Inside the info.php is the username, password and so on for the database. I want to make it so that the info.php file can never be viewed and only my .php files are able to access info.php in order to get the login infomation.
How can i set this up? This is a bit of a tricky one for me to explain so please dont be harsh and -1 me for a bad description.. just ask and i will clear up any gaps in my description.
Simply place info.php outside your webroot. This way, you can include it, but should your web hosting f*#$ up, no one else can view that file, even as plain text.
You would then include it like this:
include('../info.php');
This way, even if someone finds out that you have a file called info.php that stores all your passwords, they cannot point their browser to that file.
The above would be the ideal and most watertight solution. However, if that is not possible due to permissions, the other option would be to place all sensitive files in a directory and block direct access to that directory using a .htaccess file.
In the directory you want to block off access to, place an .htaccess file with the following contents:
deny from all
这篇关于安全存储数据库凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
