php mysql_connect安全性
[英]php mysql_connect security
问题描述
如果Web服务器和数据库服务器位于不同的主机上,那么当您在PHP代码中使用mysql_connect时,黑客是否可以进行数据包嗅探或使用其他方法获取数据库用户名/密码?
2 个解决方案
解决方案1
5 已采纳 2010-10-08 07:00:32
Yes mysql_connect() can be sniffed. 
是的mysql_connect()可以被嗅探。 The password is "scrambled" , but this will not stop an attacker. 密码是“乱码” ,但这不会阻止攻击者。 All quires are thrown over the wire in plain text and the authenticated session can be hijacked if you are sniffing TCP sequence id's. 所有quires都以纯文本形式抛出,如果您正在嗅探TCP序列ID,则可以劫持经过身份验证的会话。
You must use full transport layer encryption which is possible using the MYSQL_CLIENT_SSL flag if you are worried about this attack. 如果您担心此攻击,则必须使用MYSQL_CLIENT_SSL标志进行完全传输层加密。 If you are putting a mysql connection over the internet or otherwise untrusted network then this is a necessity. 如果您通过互联网或其他不受信任的网络建立mysql连接,那么这是必要的。 This is not necessary if you are connecting via localhost. 如果您通过localhost连接,则不需要这样做。
解决方案2
0 2010-10-08 07:24:55
I think that a hacker can sniff the packets if he has some kind of access to the web server or db server, or at least to the LAN where one of these servers are and in this case you have bigger problems. 我认为,如果黑客能够访问Web服务器或数据库服务器,或者至少访问其中一个服务器的局域网,那么黑客可以嗅探数据包,在这种情况下,您会遇到更大的问题。 But if the web server is on webhost.com, the db is on dbhost.com and the hacker tries to sniff from outside then he cannot do much. 但是如果Web服务器在webhost.com上,那么db就在dbhost.com上,黑客试图从外面嗅探,然后他就做不了多少。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.