PHP /服务器端:如何正确隐藏数据库凭据文件
[英]PHP/Server Side: How to properly conceal database credentials files
问题描述
I've had lots of problems concealing database credentials needed for PHP classes. 
在隐藏PHP类所需的数据库凭据时,我遇到了很多问题。 None of the "solutions" recommended worked so far. 到目前为止,推荐的“解决方案”都没有奏效。
1) PHP manual recommends to save the credentials in a different file: check! 1)PHP手册建议将凭据保存在其他文件中:检查! All my PHP database classes insert the credentials from a different file. 我所有的PHP数据库类都从其他文件插入凭据。
Typical db class 典型的数据库类
class database{
private static $dbc = null;
public static function get($page,$component = null){
if(self::$dbc === null) {
$root = $_SERVER['DOCUMENT_ROOT'];
$path = '/some path/';
$file = 'pdo.php';
require( $root . $path . $file );
}
...more code...
credentials file 凭证文件
$dbhost = 'some.host';
$dbname = 'someDBname';
$dbuser = 'someUser';
$dbpass = 'somePassword';
2) Despite this, the file where I keep all the info in the web-host, the file can be sniffed or found. 2)尽管如此,我将所有信息保存在网络主机中的文件仍然可以被嗅探或找到。
How can I conceal this file, containing the database info, in order to have a REALLY secure website and database? 如何隐藏此包含数据库信息的文件,以拥有真正安全的网站和数据库?
1 个解决方案
解决方案1
2 2018-03-23 20:27:28
I'd recommend putting them in environment variables. 我建议将它们放在环境变量中。 You can getenv 你可以getenv
And you can set them through either a .env (Symfony and Laravel are both using this: Example ) file, or in a .htaccess file as explained here . 你可以将它们通过或者.env (Symfony和Laravel都使用这样的: 实例 )文件,或在.htaccess文件作为说明在这里 。
Bonus: If you're paranoid, you can throw in a salt and use a hashed password, as explained here, but I doubt that this changes much. 奖励:如果您偏执狂,可以撒盐并使用哈希密码(如此处所述) ,但是我怀疑这会发生很大变化。
Edit: In the comments it was suggestion by @deceze not to store the credentials file in the document root. 编辑:在注释中,@ deceze建议不要将凭证文件存储在文档根目录中。 That's definitely something you should follow. 这绝对是您应该遵循的。
Let me elaborate. 让我详细说明。 Let's say your domain example.com points to www/foo/bar/example.com/ don't store the file in there like www/foo/bar/example.com/db.php but store it a level up at www/foo/bar/db.php that way it can't be accessed through the browser, but PHP can still access ist, through include or require . 假设您的网域example.com指向www/foo/bar/example.com/ ,而不是像www/foo/bar/example.com/db.php那样将文件存储在其中,而是将其存储在www/foo/bar/db.php不能通过浏览器访问,但是PHP仍然可以通过include或require来访问ist。 You can add .. to a path to go one folder back. 您可以在路径中添加..以返回一个文件夹。 If you have it sitting in the document root, it could be accessed using http://example.com/db.php and if your server isn't configured properly (or you use another formal like db.yml or something), it could serve the file and thus expose your credentials Note: The db.php file is just an example. 如果您将其放在文档根目录中,则可以使用http://example.com/db.php对其进行访问,并且如果您的服务器配置不正确(或者您使用的是db.yml类的其他形式),可以提供文件,从而公开您的凭据注意: db.php文件只是一个示例。 As stated above, I'd strongly recommend using environment variables! 如上所述,我强烈建议您使用环境变量!
Edit 2: To stick with your example and a PHP solution without using environment variables. 编辑2:坚持使用示例和PHP解决方案,而不使用环境变量。 You could use something like this: 您可以使用如下形式:
// the db class
class database{
private static $dbc = null;
public static function get($page,$component = null){
if(self::$dbc === null) {
$root = $_SERVER['DOCUMENT_ROOT'];
$path = '/../db/';
$file = 'pdo.php';
require( $root . $path . $file );
self::$dbc = new PDO($dsn, $dbUser, $dbPass);
}
return self::$dbc;
}
}
// the pdo.php file
$dsn = 'mysql:dbname=testdb;host=127.0.0.1';
$dbUser = 'dbuser';
$dbPass = 'dbpass';
The file structure would be something like 文件结构将类似于
www
foo
yourwebsite
.htaccess
index.php
foobar.php
db
pdo.php
The website example.com would point to www/foo/yourwebsite 该网站example.com将指向www/foo/yourwebsite
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.