保护PHP文件 [英] Securing PHP files
问题描述
您好,感谢大家阅读我的问题。
Hello and thanks to everyone for reading my question.
我一直在PHP Web程序上工作一段时间,并且想知道我应该采取什么措施来保护源代码,然后再将其放在实时服务器上。来源没有被分发,它正在通过网站访问(用户登录到网站以使用它)。
I've been working on a PHP web program for a little while and was wondering what measures should I take to protect the source before putting it on a live server. The source isn't being distributed, it's being accessed through a website (users log into the website to use it).
首先我想保护源php文件被发现和下载。我没有使用任何框架,只是php和所有文件在主目录中作为index.php。我读了一遍,似乎robots.txt并没有真正有效的隐藏。我遇到一些人推荐的.htaccess的帖子,但是我经常认为这是为了使用密码保护目录中的文件,所以不知道有没有办法使它成为适合于网络应用程序的htaccess。
First I'd like to protect the source php files from being found and downloaded. I'm not using any framework, just php and all files are in the home directory as index.php. I read around and it seems that robots.txt isn't really effective for hiding. I came across some posts of people recommending .htaccess, but I often thought it was for protecting files within a directory with a password, so not sure if there's a way to make it htaccess suitable for a web app.
其次,我想保护源文件,以防某人有权访问它们(找到它们并下载它们或具有可以访问服务器的sys管理员)。我以为像ioncube这样的源加密。我的主机也有GnuPG [我不熟悉,与ioncube相比有什么想法?]
Second, I'd like to protect the source files in the case someone gets access to them (either finds them and downloads them or a sys admin that has ready access to the server). I thought of source encryption with something like ioncube. My host also has GnuPG [which I'm not familiar with, any thoughts about it compared to ioncube?]
我不熟悉源代码保护,所以任何想法将会很好,当然非常感谢您:)
I'm not familiar with source protection, so any ideas would be nice, and of course thank you muchly :)
推荐答案
只需确保您的Web服务器设置为处理 .php 文件正确,所有文件都有正确的 .php 扩展名(而不是 .php。 inc 或类似)
Just make sure your web server is set up to handle .php files correctly, and that all files have the correct .php extension (not .php.inc or similar)
只要您的服务器执行PHP,没有人可以下载其源代码(忽略代码中的任何安全漏洞) ,这是一个不同的主题)
As long as your server executes the PHP, no one can download its source code (ignoring any security holes in your code, which is a different topic)
有一段时间,通常命名包含的文件沿着 mystuff.php.inc - 这是一个坏主意。说你的网站是在example.com,你存储你的数据库配置在 config.php.inc - 如果有人猜到这个URL,他们可以请求 http://example.com/config.php.inc ,并以纯文本格式获取数据库登录..
There was a time when it was common to name included files along the lines of mystuff.php.inc - this is a bad idea. Say your site is at "example.com", and you store your database configuration in config.php.inc - if someone guesses this URL, they can request http://example.com/config.php.inc and get your database login in plain text..
将配置和其他库存储在一个目录中是一个好主意,如 bisko回答 - 所以你有一个目录结构,如..
It is a good idea to store configuration and other libraries up one directory as bisko answered - so you have a directory structure like..
/var/example.com:
include/
config.php
helper_blah.php
webroot/
index.php
view.php
这样一来,即使你的网络服务器配置被搞砸了,开始服务 .php 文件作为纯文本,这将是坏的,但至少你不会宣布你的数据库细节到世界..
This way, even if your web-server config gets screwed up, and starts serving .php files as plain text, it'll be bad, but at least you wont be announcing your database details to the world..
至于加密文件,我不认为这是一个好主意..这些文件必须是未加密的Apache(或您正在使用的任何服务器)可以访问它们。如果Apache可以访问它,您的系统管理员也可以。..
As for encrypting the files, I don't think this is a good idea.. The files must be unencrypted to Apache (or whatever server you're using) can access them. If Apache can access it, your sysadmin can too..
我不认为加密是不可信的系统管理员的解决方案。
I don't think encryption is the solution to an untrustworthy sysadmin..
这篇关于保护PHP文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
