当使用PHP连接到MySql数据库时,根据用户输入修改db config是一个坏主意吗?
[英]While connecting to a MySql database with PHP, is it a bad idea to modify the db config based on user input?
问题描述
Sorry if the title is not clear, I'm in a project where we're building an Android app that connects to a MySql database to display some data. 
抱歉,如果标题不清楚,我在一个项目中,我们正在构建一个Android应用程序,该应用程序连接到MySql数据库以显示一些数据。 We're using PHP to connect to the database, and we're using dbconfig.php that contains something along the lines of: 我们正在使用PHP连接到数据库,并且正在使用dbconfig.php,其中包含以下内容:
define("servername", "host");
define("username", "username");
define("password", "password");
define("database", "database");
Since we are often connecting to databases hosted in different servers, we had to manually change the dbconfig every time before running the app, so we're thinking of letting the user write this information on the app itself. 由于我们经常连接到托管在不同服务器上的数据库,因此在运行应用程序之前,每次都必须手动更改dbconfig,因此我们正在考虑让用户将这些信息写在应用程序本身上。 I thought of making the app send a POST request then having the dbconfig have something like this: 我想到让应用程序发送POST请求,然后让dbconfig具有以下内容:
define("servername", $_POST["host"]);
define("username", $_POST["username"]);
define("password", $_POST["password"]);
define("database", $_POST["database"]);
But I know the dbconfig is supposed to be secure so I am not comfortable dynamically changing the dbconfig and looks like a bad idea. 但是我知道dbconfig应该是安全的,所以我不愿意动态更改dbconfig,这似乎是个坏主意。 What is the best way of achieving this? 实现此目标的最佳方法是什么?
Edit: It is a bad idea, on another note how would an app similar to this work? 编辑:这是一个坏主意,另一方面,一个与此类似的应用程序将如何工作? Would it not require some type of POST request to send the database credentials onto a server side language? 不需要某种类型的POST请求将数据库凭证发送到服务器端语言吗?
2 个解决方案
解决方案1
2 2018-07-27 15:11:49
This is a real bad idea, because: 这是个坏主意,因为:
- you are passing credentials via POST 您正在通过POST传递凭据
- you do not sanitize/strip the credentials (the $_POST content) 您不清理/剥离凭据($ _POST内容)
- you are transferring your credentials via HTTP(S) (or something else) 您正在通过HTTP(S)(或其他方式)传输凭据
One approach is to define some REST endpoints and let your app call those endpoints. 一种方法是定义一些REST端点,然后让您的应用调用这些端点。 The endpoints can then decide to which server they are going to connect. 然后,端点可以决定要连接到哪个服务器。
解决方案2
0 2018-07-27 15:25:33
if you are in development mode you could have a different home page to send the name of the database to use .. something similar to this 如果您处于开发模式,则可以使用其他主页来发送要使用的数据库名称。
$db = isset($_POST['db']) ? $_POST['db'] : 'default';
switch ($db) {
case 'db1':
$servername = 'host1';
$username = 'username1';
$password = 'password1';
$database = 'database1';
break;
case 'db2':
$servername = 'host2';
$username = 'username2';
$password = 'password2';
$database = 'database2';
break;
default:
$servername = 'default_host';
$username = 'default_username';
$password = 'default_password';
$database = 'default_database';
break;
}
define("SERVERNAME", $servername);
define("USERNAME", $username);
define("PASSWORD", $password);
define("DATABASE", $database);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.