共享主机上安全的MySQL密码
[英]Safe MySQL password on shared hosting
问题描述
I've made a simple web page for business clients that operates on MySQL database used mainly by our B2C Prestashop based e-shop. 
我为在MySQL数据库上运行的业务客户创建了一个简单的网页,主要由我们的B2C Prestashop电子商店使用。 We're using shared hosting. 我们正在使用共享主机。 This website is mostly based on jQuery jTable (jtable.org) and is meant to show current, approximate stock of products. 该网站主要基于jQuery jTable(jtable.org),旨在显示当前的近似产品库存。
I've used jQuery jTable 'starter pack' and created a simple front-end view for our partners. 我已经使用了jQuery jTable'starter pack'并为我们的合作伙伴创建了一个简单的前端视图。 It looks more or less like the one in jTable tutorial: 它看起来或多或少像jTable教程中的那个:
$(document).ready(function () {
//Prepare jTable
$('#PeopleTableContainer').jtable({
title: 'Product Availability',
actions: {
listAction: 'someconfigfile.php?action=list',
},
fields: {
column1: {
title: 'column1',
width: '70%',
key: true
},
column2: {
title: 'column2',
width: '30%'
}
}
});
//Load person list from server
$('#PeopleTableContainer').jtable('load');
});
As I only want to show data I have in MySQL database, I've prepared read-only user and I'm using his credentials to access database. 因为我只想显示我在MySQL数据库中的数据,所以我准备了只读用户,并且我正在使用他的凭据来访问数据库。 As seen in jQuery script, I'm accessing database through someconfigfile.php and 'list' action. 正如jQuery脚本中所见,我通过someconfigfile.php和'list'操作访问数据库。
The someconfigfile.php includes MySQL connection string and also my SQL query for populating the table in front-end view. someconfigfile.php包含MySQL连接字符串以及用于在前端视图中填充表的SQL查询。 What I want to do for security purposes is to put someconfigfile.php in directory above my public_html folder. 我出于安全目的要做的是将someconfigfile.php放在我的public_html文件夹上的目录中。 Folder containing HTML, PHP and CSS files for front-end will stay below public_html. 包含前端的HTML,PHP和CSS文件的文件夹将保留在public_html之下。
My question is: 我的问题是:
- Will my password be accessible by anyone if I put it above public_html? 如果我把它放在public_html之上,我的密码是否可供任何人访问? My whole front-end code is this jQuery jTable above. 我的整个前端代码是上面的jQuery jTable。
- Am I vulnerable to SQL Injection if I only get data with mysql_fetch_assoc($result) and then print json_encode of the array()? 如果我只使用mysql_fetch_assoc($ result)获取数据然后打印数组()的json_encode,我是否容易受到SQL注入攻击? User cannot enter any data here. 用户无法在此处输入任何数据。
Edit: Please also note that from jTable CRUD functions I've only left Read option. 编辑:请注意,从jTable CRUD函数我只留下了Read选项。 Create, Update and Delete options have been removed. 已删除“创建”,“更新”和“删除”选项。
2 个解决方案
解决方案1
1 2014-02-14 15:59:16
The password will be stored in your php files and therefore not accessible through a HTTP request even if those files are located under public_html file. 密码将存储在您的php文件中,因此即使这些文件位于public_html文件下,也无法通过HTTP请求访问。
Being on a shared host expose you to the possibility that someone using the same hosting server might be able to get access to your files but I assume your hosting company did everything they have to do in order to restrict access to files intra-customers. 在共享主机上,您可能会发现使用相同托管服务器的人可能能够访问您的文件,但我认为您的托管公司已经做了他们必须做的一切,以限制对客户内文件的访问。
That said, you still need to protect your html files with a password, otherwise anyone would be able to gain access to your database information. 也就是说,您仍然需要使用密码保护您的html文件,否则任何人都可以访问您的数据库信息。
解决方案2
1 已采纳 2014-06-05 15:31:32
I'm not sure how this works really as I haven't tried it, but learned about it the other day so I thought I'd share. 我不确定这是如何工作的,因为我没有尝试过,但是前几天才知道它,所以我想我会分享。
With GoDaddy, you can point your primary domain name at a sub-directory, therefore creating a new document root before it, so to speak. 使用GoDaddy,您可以将主域名指向子目录,因此可以在其之前创建新的文档根目录。 This may not be the case for other hosts but worth checking. 这可能不是其他主机的情况,但值得检查。
For example, create a new directory called 'application' in your root directory, upload your application's files there and point your primary domain there (You may need to remove the domain name first and then add it again with the specified directory). 例如,在根目录中创建一个名为“application”的新目录,在那里上传应用程序的文件并将主域指向那里(您可能需要先删除域名,然后再将其添加到指定目录中)。 You can then include files - your database credentials for example - from before your new document root, which is now not available to the public but available to your application. 然后,您可以在新文档根目录之前包含文件(例如您的数据库凭据),现在这些文件对公众不可用,但可供您的应用程序使用。
NEW STRUCTURE 新结构
DB Credentials: DB凭证:
/home/www/html/someSite/dbCredentials.php
Your Website (where primary domain is now pointed): 您的网站(主要域名现在指向):
/home/www/html/someSite/application/index.php
EXAMPLE: 例:
In dbCredentials.php add your credentials: 在dbCredentials.php中添加凭据:
<?php
$strHostName = “10.10.10.10”;
$strDbName = “dbname”;
$strUserName = “dbuser”;
$strPassword = “xxx***xxx”;
?>
On your web page, include the file and use variables as normal: 在您的网页上,包括文件并正常使用变量:
<?php
require_once ('/home/www/html/someSite/dbCredentials.php');
$db_found = new PDO("mysql:host=$strHostName..........);
?>
SOURCE: 资源:
http://support.godaddy.com/help/article/4175/specifying-a-new-default-document-root-on-your-hosting-account?pc_split_value=4&countrysite=uk http://support.godaddy.com/help/article/4175/specifying-a-new-default-document-root-on-your-hosting-account?pc_split_value=4&countrysite=uk
If you try it, let me know how it goes. 如果您尝试一下,请告诉我它是怎么回事。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.