将管理员登录硬编码到 php 脚本中是否安全?
[英]Is it safe to store admin login hardcoded into a php script?
问题描述
I was thinking something really trivial like:
我在想一些非常微不足道的事情,比如:
if ($email == 'mymail@example.com' && pass == '&2r2KdC#i%$$e2r8'){
//do login
}
Was wondering if this open to possible hacks or exploit, but could not think of any.想知道这是否对可能的黑客攻击或利用开放,但想不出任何。 Since it will be just my login it would not make sense to use a whole database to store only that.因为这只是我的登录名,所以使用整个数据库来存储它是没有意义的。 I'll use database to store users login.我将使用数据库来存储用户登录。 I know it sound stupid to have users with less privileges stored securely in a database and admin login hardcoded, but is it really less secure?我知道将权限较低的用户安全地存储在数据库中并且对管理员登录进行硬编码听起来很愚蠢,但它真的不那么安全吗?
1 个解决方案
解决方案1
0 2020-09-18 13:13:07
It is possible for people to get things from a database without permission, via ways like sql injection if data is not sanitized properly.如果数据未正确清理,人们可能会在未经许可的情况下通过 sql 注入等方式从数据库中获取内容。 It is also possible for people to get your php source code, via ways such as having access to your server (eg your shell/ftp account), which is quite unlikely assuming that the server is decent enough and you're keeping your credentials for getting into the server safe enough.人们也有可能通过访问您的服务器(例如您的 shell/ftp 帐户)等方式获取您的 php 源代码,假设服务器足够好并且您保留了您的凭据,这是不太可能的进入服务器足够安全。 Do understand that being being a victim of sql injection is a far more likely than people obtaining your php code.请理解成为 sql 注入的受害者比获得您的 php 代码的人更有可能。 (It is also possible that you accidentally did something wrong such as changing the file extension that outputted those lines, the same goes for accidentally writing a wrong query for sql though) There are many more ways things can go wrong of course but here I am just listing out some common problems. (也有可能您不小心做错了一些事情,例如更改了输出这些行的文件扩展名,尽管不小心为 sql 编写了错误的查询也是如此)当然还有更多方法可能会出错,但我在这里只是列举了一些常见的问题。
Also, it is worth noting that your database credentials are probably in your php code too, meaning that if they somehow have access to your source code, they most probably can access your database too.此外,值得注意的是,您的数据库凭据也可能在您的 php 代码中,这意味着如果他们以某种方式可以访问您的源代码,他们很可能也可以访问您的数据库。
However, I believe the biggest problem is not with where you put the password, it is how you store it.然而,我认为最大的问题不在于你把密码放在哪里,而在于你如何存储它。 Passwords should not be stored as how they are, instead, they should first be hashed before they're stored, then when you want to check if a password is correct, you hash that password too and check it with the hash you stored.密码不应该被存储为它们是如何,相反,他们首先应该要存储之前,他们哈希,然后当你要检查,如果密码是正确的,你的哈希密码也与哈希检查你存储。 It is very dangerous to simply store unhashed passwords, since if someone somehow has access to them, it poses a huge security threat to your users, some users may use this same passwords for multiple places that someone can have access to all those places (this is very bad you shouldn't do this, but there are people to do this).简单地存储未散列的密码是非常危险的,因为如果有人以某种方式访问它们,就会对您的用户构成巨大的安全威胁,一些用户可能会在多个地方使用相同的密码,而这些地方有人可以访问所有这些地方(这很糟糕,你不应该这样做,但有人这样做)。 However, if the passwords are hashed, even if someone somehow has access to all of the hashes, they still won't know the actual passwords.然而,如果密码被散列,即使有人以某种方式可以访问所有的散列,他们仍然不会知道实际的密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.