Php与数据库的连接:它安全吗?
[英]Php connection to database: is it secure?
问题描述
I use the following php code to connect to mysql database. 
我使用以下php代码连接到mysql数据库。
$hostname = "hostname.com";
$database = "dbtest";
$username = "admin";
$password = "pass123";
$connect = mysql_pconnect($hostname, $username, $password) or trigger_error(mysql_error(),E_USER_ERROR);
mysql_select_db($database);
This code is placed in a connection file called connect.php which is included in all php scripts that require access to database. 此代码放在名为connect.php的连接文件中,该文件包含在需要访问数据库的所有php脚本中。
If a hacker gets the url of connect.php (http://www.domainname.com/connect.php), is it possible to hack my database. 如果黑客获得了connect.php(http://www.domainname.com/connect.php)的网址,是否有可能破解我的数据库。 How can I ensure that the php connection code does not help the hacker? 如何确保php连接代码无法帮助黑客? Or Which is the best secure way of connecting to the database? 或者哪种连接数据库最安全?
5 个解决方案
解决方案1
7 已采纳 2012-07-27 11:44:47
You should never ever have PHP files with code inside the document root of your website. 您永远不应该在您的网站的文档根目录中包含带有代码的PHP文件。 The only thing in the document root should be a bootstrap file and route all requests through this. 文档根目录中唯一的东西应该是一个bootstrap文件,并通过它来路由所有请求。 If you would have that file inside the document root of your site and for some reason the webserver doesn't parse the file it will be displayed as is. 如果您将该文件放在站点的文档根目录中,并且由于某种原因,Web服务器不会解析该文件,它将按原样显示。
And please, don't use mysql_* functions for new code. 请不要使用mysql_*函数来获取新代码。 They are no longer maintained and the community has begun the deprecation process . 它们不再维护,社区已开始弃用过程 。 See the red box ? 看到红色的盒子 ? Instead you should learn about prepared statements and use either PDO or MySQLi . 相反,您应该了解准备好的语句并使用PDO或MySQLi 。 If you can't decide, this article will help to choose. 如果你无法决定, 这篇文章将有助于选择。 If you care to learn, here is a good PDO tutorial . 如果你想学习, 这是一个很好的PDO教程 。
And always use an ecrypted connection (SSL). 并始终使用ecrypted连接(SSL)。
See this for routing examples and dispatching patterns . 有关路由示例和调度模式,请参阅此处 。 Basically what should happen is: all request are handled by the index.php file under document root. 基本上应该发生的是:所有请求都由文档根目录下的index.php文件处理。 The index.php bootstraps everything (ie calls (includes)) another file outside of the document root. index.php引导文档根目录之外的所有内容(即调用(包括))。 This file will check the URL of the request and finds out what file belongs to current URL and executes it. 此文件将检查请求的URL并找出哪个文件属于当前URL并执行它。
解决方案2
1 2012-07-27 11:45:13
Typically, this should be secure regarding your config data, if the hacker only has the URL to the file and if your webserver is configured properly so that the raw source code is not revealed. 通常情况下,如果黑客只有文件的URL,并且您的网络服务器配置正确,以至于未显示原始源代码,那么这对于您的配置数据应该是安全的。
You can increase security if you place such a config file outside the web root directory. 如果将此类配置文件放在Web根目录之外,则可以提高安全性。
解决方案3
1 2012-07-27 11:47:09
- Do not use
mysql_*functions.不要使用mysql_*函数。 - Put the file in some other place that under the directory for the document root for the web server. 将文件放在Web服务器的文档根目录下的其他位置。
- Configure the web server to only allow connections from a list of IP addresses. 将Web服务器配置为仅允许来自IP地址列表的连接。
- Consider using a secure connection (SSL) always and configure the database to only use SSL. 请始终考虑使用安全连接(SSL)并将数据库配置为仅使用SSL。
解决方案4
0 2012-07-27 11:43:59
Nothing will happen if anyone accesses this page. 如果有人访问此页面,将不会发生任何事情。
Though mysql_* on itself is insecure. 虽然mysql_*本身是不安全的。
解决方案5
0 2012-07-27 11:49:01
It's safe. 它是安全的。 You can also store the file outside DocumentRoot. 您还可以将文件存储在DocumentRoot外部。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.