安全的MYSQL连接详细信息
[英]Secure MYSQL connection details
问题描述
Just wanted a little bit of advice on this. 
只是想对此提供一点建议。 Is it possible to view PHP source code in a browser. 是否可以在浏览器中查看PHP源代码。 I'm thinking it's not. 我以为不是。 But wanted to make sure that my connections details, for example: 但是要确保我的连接详细信息,例如:
include ("connection.php");
$con = mysql_connect("$host","$db_name","$db_user, $db_pass");
can't be called and viewed by anyone with a browser. 带有浏览器的任何人都不能调用和查看它。
If I .htaccess the connection.php file does this just mean that you can't access the file using ftp, but that any script calling the include() file will still work? 如果我.htaccess connection.php文件,这是否仅意味着您无法使用ftp访问该文件,但是任何调用include()文件的脚本仍然可以使用吗?
Hope that makes sense. 希望有道理。 All I'm trying to make sure is that my passwords for database connections will be secure. 我要确保的是我用于数据库连接的密码是安全的。 Any advice would be very helpful. 任何建议都将非常有帮助。
5 个解决方案
解决方案1
5 已采纳 2012-06-01 13:16:50
There are several ways to leak you PHP code through a browser, among others: 有几种方法可以通过浏览器泄漏PHP代码,其中包括:
- Misconfigured server (so that php file don't get parsed) 伺服器设定错误(因此无法解析php档案)
- Making backup files by appending an extension: eg secretfile.php.bak 通过添加扩展名来制作备份文件:例如secretfile.php.bak
- Also it might be possible that an attacker get to a file by doing:
http://example.com/../../../etc/passwd此外,攻击者还可能通过执行以下操作来获取文件: http://example.com/../../../etc/passwd:http://example.com/../../../etc/passwd - Not really a way to get into php files, but another common way to get info is through SQL Injection . 并不是真正进入php文件的方法,但是获取信息的另一种常见方法是通过SQL Injection 。 (I see you are using
mysql_*-> please stop using it):(我看到您正在使用mysql_*->请停止使用它):
Please stop writing new code with the ancient
mysql_*functions.mysql_*函数编写新代码。 They are no longer maintained and community has begun the deprecation process .
It is considered good practice to keep all php files outside the document root and only keep a bootstrap file in your document root. 最好将所有php文件保留在文档根目录之外,而仅将引导文件保留在文档根目录中。
Another thing you should setup you database to only accept connections from localhost when possible. 您还应该将数据库设置为在可能的情况下仅接受来自localhost的连接。
解决方案2
1 2012-06-01 13:16:37
NO. 没有。 You can't see Server Side(PHP) code in browser, unless something is wrong in your server config. 除非服务器配置中有问题,否则您将无法在浏览器中看到服务器端(PHP)代码。
So relax & stop worrying about someone stealing your db username & password from "view source" in browser. 因此,放松并停止担心有人从浏览器的“查看源代码”中窃取您的数据库用户名和密码。 That's ain't happening 那不是真的
解决方案3
1 2012-06-01 13:17:27
My advice would be to create one config file with all your sensitive data in it. 我的建议是创建一个包含所有敏感数据的配置文件。 Make sure this file is located outside of your server root. 确保此文件位于服务器根目录之外。
解决方案4
0 2012-06-01 13:15:18
不,没有人可以查看您的PHP代码(除非他们以某种方式通过FTP,SSH等访问了您的服务器)
解决方案5
0 2012-06-01 13:18:31
It is NOT possible to view PHP code. 这是不可能的,查看PHP代码。 But it may be possible to manipulate your application somehow. 但是可能以某种方式操纵您的应用程序。 So, what you can do to be twice secured, include a file with the connection data in it from a path outside of your public hierarchy, for example: 因此,可以做两次保护的工作是,从公共层次结构外部的路径中包含一个包含连接数据的文件,例如:
/home/public_html/index.php <= your website
http://yoururl.org gets to public_html => index.php
/home/files/connectionData.php <= file to store your files
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.