将配置变量存储在站点根目录下的PHP站点上的XML文件中是否太冒险了?
[英]Is storing config variables in an XML file on a PHP site under the site root too risky?
问题描述
I've noticed that Magento stores MySQL connection details in an XML file which isn't secured above the docroot. 
我注意到Magento将MySQL连接详细信息存储在XML文件中,该文件在docroot上方没有得到保护。 This seems.... well dangerous. 这似乎....非常危险。
XML seems like a handy way to store config data, except for one thing, typing in http://www.domain.com.au/library/config.xml will show the world your private details! XML似乎是一种方便的配置数据存储方式,除了一件事,在http://www.domain.com.au/library/config.xml中键入将向世界展示您的私有详细信息!
I went ahead and used an XMl file and added this to my .htaccess file. 我继续使用XMl文件,并将其添加到我的.htaccess文件中。
<Files ~ "\.xml$"> // regex files that end with xml extension
Order allow,deny
Deny from all // don't show them
</Files>
Now I was happy with this, now I'm not too sure. 现在我对此感到满意,现在我不太确定。 What if the .htaccess file is accidentally deleted/corrupted (does that happen besides human error) and what if one day I want to place the app on a non apache server... does every server have the equivalent to block XML files, and if they do, can they be altered on a folder level like the .htaccess can (and not just a httpd.conf file). 如果.htaccess文件被意外删除/损坏(除了人为错误,还会发生什么),如果有一天我想将应用程序放置在非Apache服务器上,该怎么办...每个服务器都具有等同于阻止XML文件的功能,并且如果可以的话,是否可以像.htaccess一样在文件夹级别上进行更改(而不仅仅是httpd.conf文件)。
My question is... does the convenience of XML (easy to update, designers who need to tinker won't feel so intimidated) outweigh the potential problems (exposing private data)? 我的问题是... XML的便利性(易于更新,需要修补的设计人员不会感到如此胆怯)是否超过了潜在的问题(公开私有数据)?
3 个解决方案
解决方案1
1 已采纳 2009-03-03 06:51:17
I'd personally only store config file information in a format thats not in a directly accessible format or location. 我个人只会以无法直接访问的格式或位置的格式存储配置文件信息。 So I'd either use the XML format above the docroot or use the PHP $config['varname'] = 'value' format. 因此,我要么使用docroot上方的XML格式,要么使用PHP $ config ['varname'] ='value'格式。 The later method would just render a blank white page if called directly (so long as it's all PHP and contains no HTML and doesn't echo out). 如果直接调用,则后面的方法将仅呈现空白白页(只要是全PHP且不包含HTML且不回显)。
Gallery, vBulletin, and Joomla all use the second method I mentioned. Gallery,vBulletin和Joomla都使用了我提到的第二种方法。 I know I've mentioned those projects before in other PHP related questions, but it seems to be a method that's widely used and accepted between projects. 我知道我之前在其他与PHP有关的问题中都提到了那些项目,但这似乎是一种在项目之间被广泛使用和接受的方法。
解决方案2
0 2009-03-03 06:18:10
Short answer, no it is not. 简短的回答,不,不是。 But a better question would be. 但是会有一个更好的问题。 If it is not stored in a config file where would you keep it? 如果未将其存储在配置文件中,则将其保存在哪里?
解决方案3
0 2009-03-03 10:17:44
I entirely agree with inventix on this but also offer a 3rd option which should be combined with either 我完全同意inventix的观点,但是还提供了第三个选项,应与
name the file storing config info 命名存储配置信息的文件
.htanything.whatever .htanything.whatever
as server wide all files starting .ht are unreadable by external users {this is why htaccess is always .htaccess} 在服务器范围内,外部用户无法读取所有以.ht开头的文件{这就是为什么htaccess始终是.htaccess的原因}
personaly i only store config files includes and function libraryies outside of the document root, but understand that some connot thus always use the .htnaming convention on them also incase the $includesfolder has to be moved within the document-tree by someone using the software on such a server 个人而言,我只将配置文件包含库和函数库存储在文档根目录之外,但要理解,因此,某些东西总是要在它们上使用.htnaming约定,以防万一有人在软件树上将$ includesfolder移至文档树中,这样的服务器
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.