基于php-mysql的网站的管理和安全性
[英]Administration and security with a php-mysql based website
问题描述
My question is a general one because I lack a hole picture of what I should do! 
我的问题是一个笼统的问题,因为我对应该做什么不了解!
I am developping a website containing a member area. 我正在开发一个包含会员区的网站。 Each user register trough a login and a password and can access forms that allows them to edit and update their personal page. 每个用户注册槽登录名和密码,可以访问的形式 ,使他们能够编辑和更新他们的个人页面。 Non registered users can access a little search engine to find personal users pages based on some characteristics. 非注册用户可以访问一些搜索引擎,以根据某些特征查找个人用户页面。
This website is developped in php and is now hosted in localhost with Xampp . 这个网站是用php开发的,现在通过Xampp托管在localhost中 。
My question is about administration and security. 我的问题是关于管理和安全性。
The administration of the website will require to delete and update data published by users on their personal page. 网站的管理将要求删除和更新用户在其个人页面上发布的数据。
So now in localhost I just go through phpMyAdmin to modify these tables. 所以现在在本地主机中,我只是通过phpMyAdmin来修改这些表。
-Can I just do the same when the website will be online? -我可以在网站上线时做同样的事情吗?
-Is the use of an admin part made to make it quicker than getting in the tables trough phpMyAdmin ? -是否通过使用admin部件来使其比通过phpMyAdmin进入表更快? The password of the users are encrypted to prevent their use in case the data would be stollen so anyway I cant use their login and password to connect to there personal pages to delete data in case they wouldent respect the website rules? 用户的密码已加密,以防万一数据被盗用,以防止他们使用,所以无论如何我不能使用他们的登录名和密码来连接个人页面以删除数据,以防万一他们遵守网站规则?
Concerning security, is there a need to protect files with an .htaccess with the type of website I am describing? 关于安全性,是否需要用我正在描述的网站类型保护带有.htaccess的文件?
I secured the php scripts againsts main security breaches( xss, sql injection, csrf, upload ) but I dont completely understand what else should be done when the website gets online. 我确保php脚本不受主要安全漏洞( xss,sql注入,csrf,upload )的侵害,但我不完全了解网站上线后还应该做什么。
For example there is a password for mysql to connect to the database: this password is stored in the 'databse.php' like this 例如,有一个mysql连接到数据库的密码:该密码像这样存储在“ databse.php”中
$db = new Database('login', 'password', 'website');
What is the use of this password when the website is on a server, does someone else than the administrator can access to the files on the server ? 当网站位于服务器上时,此密码有什么用,管理员以外的其他人是否可以访问服务器上的文件?
As you can see, my questions are a bit confused because my picture of administration and security is not clear when it comes to jumping from the world of localhost to the world wide web! 如您所见,我的问题有点困惑,因为当涉及从本地主机环境跳转到万维网时,我对管理和安全性的了解还不清楚!
Thanks for your help. 谢谢你的帮助。
3 个解决方案
解决方案1
0
I think it's great what you're doing, but I would recommend improving your PHP by using an existing CMS. 我认为您的工作很棒,但我建议您使用现有的CMS来改进PHP。 Drupal would be a grand choice for such a site described as yours :) 对于这样的网站,Drupal是一个不错的选择:)
If you are still interested in pursuing this, then look into sessions - that's where you'll want to start (user rights per page). 如果您仍然有兴趣进行此操作,请查看会话-这就是您要开始的位置(每页的用户权限)。
解决方案2
0 2015-11-23 14:52:58
Can I just do the same when the website will be online?
Yep. 是的 In your local phpmyadmin folder, find the file config.inc.php and change the line $cfg['Servers'][$i]['host'] = 'localhost'; 在您本地的phpmyadmin文件夹中,找到文件config.inc.php并更改$cfg['Servers'][$i]['host'] = 'localhost'; where it says localhost to your live mysql server address. 它在您的实时mysql服务器地址上显示localhost。
解决方案3
0 2017-10-17 11:49:29
- .htaccess is ver much needed according to your nature of website you can block the directory listing in this and etc also and your htaccess file can give protection on execution of malicious file. 根据您网站的性质,非常需要.htaccess,您可以在其中阻止目录列表等,并且您的htaccess文件可以为执行恶意文件提供保护。
- try to use algorithim in password ie sha256 with salt or hash password. 尝试在密码中使用算法,即使用盐或哈希密码的sha256。
security must be there because vulnerablities make your site a mess. 安全性必须存在,因为漏洞会使您的网站一团糟。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.