堆栈内存溢出
  简体   繁体   English

安全地存储数据库连接详细信息。 为什么要全部使用.inc?

[英]Securely storing database connection details. Why use .inc at all?

 原文  2010-09-23 19:57:20       php/ database/ security

问题描述

I am always reading that you should always store your database credentials outside of your document root because normally you would have them set to db.inc or something similar. 我一直在读,您应该始终将数据库凭据存储在文档根目录之外,因为通常您会将其设置为db.inc或类似名称。

I can understand this and naturally it makes perfect sense. 我能理解这一点,自然很有意义。

What I don't understand is why you are making the file into one that you either need to set apache to hide or you need to put it into a secure location in the first place. 我不明白的是为什么要把文件变成一个文件,要么需要设置apache使其隐藏,要么首先需要将其放置在安全的位置。

What is the issue with making it, say db.php - Then apache knows to execute the script first and return the output (which would presumably be blank in most cases). db.php这样的问题是什么-然后apache知道先执行脚本并返回输出(在大多数情况下,该输出为空白)。

Maybe I am being dumb and missing an inherent security flaw but is there any issues with just storing your details in a .php file? 也许我很愚蠢,缺少一个固有的安全漏洞,但是将您的详细信息存储在.php文件中是否有任何问题? I mean Wordpress and other major open source PHP applications manage to get away with it, but is this because they can't make their script talk to folders outside of www or because it is just as secure as any other method? 我的意思是Wordpress和其他主要的开放源代码PHP应用程序设法摆脱了它,但这是因为它们无法使脚本与www以外的文件夹对话,还是因为它与其他任何方法一样安全?

2 个解决方案

解决方案1
 2 已采纳  2010-09-23 20:00:48

Maybe I am being dumb and missing an inherent security flaw but is there any issues with just storing your details in a .php file? 也许我很愚蠢,缺少一个固有的安全漏洞,但是将您的详细信息存储在.php文件中是否有任何问题?

A tiny slip up in the configuration of Apache, and the file starts being served raw instead of being processed by the PHP engine. Apache的配置略有下降,该文件开始以原始方式提供,而不是由PHP引擎处理。

I mean Wordpress and other major open source PHP applications manage to get away with it, but is this because they can't make their script talk to folders outside of www or because it is just as secure as any other method? 我的意思是Wordpress和其他主要的开放源代码PHP应用程序设法摆脱了它,但这是因为它们无法使脚本与www以外的文件夹对话,还是因为它与其他任何方法一样安全?

They accept increased risk for increased convenience. 他们接受增加便利的风险。

解决方案2
 1  2010-09-23 20:02:52

Storing files containing (database) credentials outside the document root is always a good idea. 将包含(数据库)凭据的文件存储在文档根目录之外始终是一个好主意。 Say, you upgrade Apache, but forget updating the configuration with PHP. 假设您升级了Apache,但是忘记了使用PHP更新配置。 Any file in the document root can possibly be downloaded without getting parsed. 文档根目录中的任何文件都可以在不解析的情况下下载。

Wordpress, Joomla, phpBB and others are made to be portable. Wordpress,Joomla,phpBB等可移植。 That is, reside in one folder. 即,驻留在一个文件夹中。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么我会收到“错误的登录详细信息”的警报。 4 倍,因为我在数据库中有 4 个用户 - Why am I getting alert of "Wrong login details." 4 times as I have 4 user in database 将WebDAV凭据安全地存储在数据库中 - Securely storing WebDAV credentials in a database 将值安全地存储在mySQL数据库中 - Storing values securely in mySQL Database 将敏感数据安全地存储在数据库中 - Storing sensitive data securely in a database 什么是.inc以及为何使用它? - What is an .inc and why use it? 在数据库中存储Paypal详细信息 - Storing Paypal Details in database 详细信息不存储到数据库中 - details not storing into database 安全地在PHP中存储数据库安全证书 - Storing Database Security Credentials in PHP Securely 抓取用户详细信息并将其存储在数据库中 - Grabbing the user details and storing it in the Database 保存数据库连接详细信息 - Save database connection details
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM