我需要关注php中的mysql_connect中的密码吗?
[英]Do I need to be concerned about password in mysql_connect in php?
问题描述
When writing out the connect code to the database isn't it wide open for anyone to view my database username and password? 
将连接代码写到数据库时,是否有人可以查看我的数据库用户名和密码? Couldn't they then connect and alter my database? 他们不能连接和改变我的数据库吗? It just seems strange to type out my username and password and not be encrypted. 输入我的用户名和密码而不加密似乎很奇怪。
mysql_connect(localhost, user1, correcthorsebatterystaple)
I know the source isn't viewable when you right-click view source. 我知道右键单击视图源时无法查看源。 But if someone created a quick html page with ahref=mywebsite.com/connect_file.php then they right click and download that they can view my PHP code along with my username and passowrd, right? 但是如果有人用ahref = mywebsite.com / connect_file.php创建了一个快速的html页面,那么他们右击并下载他们可以查看我的PHP代码以及我的用户名和passowrd,对吧?
3 个解决方案
解决方案1
5 已采纳 2014-09-15 19:15:44
PHP is executed on the server and outputs HTML to the client. PHP在服务器上执行并将HTML输出到客户端。 So the client can never view the PHP source. 所以客户端永远不能查看PHP源代码。 So you don't have to worry about you passwords safety in those files 因此,您不必担心这些文件中的密码安全性
解决方案2
0 2014-09-15 19:16:41
You server sees all requests (so even that ahref one in your example) to the file as being one that asks for a php file. 您的服务器将所有请求(因此即使是示例中的ahref )视为要求提供php文件的请求。
Your server will first ask PHP to parse the file, and if set up correctly never show the code in any way. 您的服务器将首先要求PHP解析该文件,如果设置正确,则不会以任何方式显示代码。
Someone with direct (ssh for instance) access to your server or your code (ftp, github etc) will be able to read your code and so your password. 直接(例如ssh)访问您的服务器或您的代码(ftp,github等)的人将能够读取您的代码以及您的密码。 Avoid this at all costs. 不惜一切代价避免这样做。
You can put stuff you need to be carefull of outside of your www-root (for instance /var/www) directory. 您可以在www-root(例如/ var / www)目录之外放置您需要注意的内容。 Even IF something is wrong, the changes that your config will be read are smaller if they are in a separate place. 即使错误,如果它们位于不同的位置,您的配置将被读取的更改也会更小。 Use an include to include it. 使用include来包含它。 This will only 'work' if the file is parsed, so if it is NOT parsed, you won't be including it, so it will not be shown 如果文件被解析,这只会“起作用”,所以如果它没有被解析,你将不会包含它,所以它不会被显示
解决方案3
0 2014-09-15 19:17:11
If a user was to load your connect_file.php directly into the browser, they would get the PHP file rendered as HTML, which is likely blank. 如果用户要将connect_file.php直接加载到浏览器中,他们会将PHP文件呈现为HTML,这可能是空白的。 Clicking save-as would save a local copy of the blank HTML page. 单击“另存为”将保存空白HTML页面的本地副本。 Because PHP is rendered on the server and then sent to the user's browser, they only see the results, not the source. 因为PHP在服务器上呈现然后发送到用户的浏览器,所以它们只看到结果,而不是源。
If you're still concerned about this, you could always store connect_file.php in a location that is not accessible to the web and include it from another file. 如果您仍然担心这一点,您可以始终将connect_file.php存储在Web无法访问的位置,并将其包含在另一个文件中。 In the event that the PHP process broke or the PHP code was somehow served up raw, this would further prevent someone from viewing your PHP code containing the password. 如果PHP进程中断或者PHP代码以某种方式提供原始服务,这将进一步阻止某人查看包含密码的PHP代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.