在php中保护数据库密码 [英] Securing DB password in php
问题描述
是网络开发的新手。我很好奇人们怎么做。
Am new to web development. I am curious as to how people do it.
我正在编写一些使用mysql DB的PHP代码。我的密码硬编码在代码现在。此代码可以由所有开发人员检出,因此每个人都可以访问密码。似乎非常非常错了我。除此之外,我可以想到一些并发症。我以列表形式列出问题 -
I am writing some php code that uses a mysql DB. I have the password hardcoded in the code as of now. This code can be checked out by all devs and so every one has access to the password. Seems very very wrong to me. On top of that I can think of some complications. I am listing the issues in bullet point form -
-
密码硬编码错误。我不想让所有开发人员访问它,因为他们都可以签出代码。
Password hard coded in code is wrong. I don't want all devs to have access to it as all of them can check out the code.
如何区分生产和开发服务器/凭证?我有同样的文件包含prod和dev数据库凭据。什么是最好的办法来处理这个?
How to differentiate between production and development servers/credentials? I have the same file containing both prod and dev DB credentials. What is the best way to handle this?
我希望防止延迟/醉的时间,以便开发者不要删除/删除表等。我显然可以有不同的访问不同的开发。那么是所有这一切的解决方案吗?
I want to prevent against lazy/drunk times so that devs do not delete/drop tables etc. I can obviously have different access to different devs. So is that the solution to all of this?
潜在的解决方案:请求开发人员自己添加密码,并确保它从未签入。
Potential solution: Do not have the password in code. Ask devs to add the password themselves and make sure its never checked in.
解决方案问题:繁琐的部署过程。必须手动添加生产/ QA部署的密码,并确保它能够在部署之前每次连接到数据库。听起来太痛苦,容易出错。
Problem with solution: Tedious process of deployment. Have to add the password for production/QA deployment manually and make sure its able to connect to the DB everytime before deployment. Sounds too painful and error prone. What do people usually do?
- 如果您在团队中有4个开发人员,您如何设置开发环境?所有这些都使用相同的DB?如果没有,如何创建表并使用测试数据填充表?您必须编写代码才能填充测试数据?
非常感谢任何输入。
推荐答案
将密码放在单独的PHP文件中,其中包含您的所有应用设置,并将其包含在页面顶部。
Put the password in a separate PHP file, containing all your app settings, and include it at the top of the page. This file can then be kept out of Version Control, and replaced for each deployment.
请确保您保留 config.php 文件(或任何你选择命名)从你的根目录,也,以便它不会被意外地提供给你的应用程序的任何用户。另外,作为进一步的预防措施,确保你给它 .php 扩展,所以如果它以某种方式仍然得到提供,它应该由PHP解析,和任何有用的信息(希望)删除 - 一个常见的做法是命名为 .conf.php 或 .inc.php 扩展。因为这个原因。
Make sure that you keep the config.php file (or whatever you choose to name it) out of your root directory, also, so that it can't be accidentally served up to any users of your app. Also, as a further precaution, make sure that you give it the .php extension, so that if it somehow does still get served up, it should be parsed by PHP first, and any useful information (hopefully) removed - a common practice would be to name it with a .conf.php or .inc.php extension for this reason.
对于Dev环境,我们使用所有开发人员共享的单个数据库。它最初是从实时客户端数据创建的,克隆到我们的数据库中,为了隐私的原因,某些信息被删除/替换。在我们的开发构建中使用相同的数据库以及本地构建。
As for the Dev Environment, we use a single database shared by all the devs. It was originally created from live client data, cloned into our database, with certain information redacted / replaced for privacy reasons. The same database is used in our development build as well as our localhost builds.
这篇关于在php中保护数据库密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
