拒绝访问 .htaccess 中的 .ini 文件是否安全?
[英]Is it safe to deny access to .ini file in .htaccess?
问题描述
I have a .ini file with sensitive information in my php wab app.
我的 php wab 应用程序中有一个包含敏感信息的 .ini 文件。 I denied access to it using a .htaccess file:我拒绝使用 .htaccess 文件访问它:
<files my.ini>
order deny,allow
deny from all
</files>
I don't have access to folders outside of htdocs, so I can't move the .ini file out of browsable territory.我无权访问 htdocs 之外的文件夹,因此我无法将 .ini 文件移出可浏览区域。
Is my solution safe?我的解决方案安全吗?
3 个解决方案
解决方案1
7 已采纳 2008-10-19 07:39:32
The .htaccess will block access from the web. .htaccess 将阻止来自网络的访问。 However, if you're using a shared hosting environment, it might be possible for other users to access your ini.但是,如果您使用的是共享托管环境,则其他用户可能会访问您的 ini。 If its on a (virtual private) server and you're the only user for that server you're safe.如果它在(虚拟专用)服务器上并且您是该服务器的唯一用户,那么您是安全的。
In case of shared hosting it depends on server configuration.如果是共享主机,则取决于服务器配置。 For more info read: PHP Security in a shared hosting environment有关更多信息,请阅读: 共享托管环境中的 PHP 安全性
You can temporarily install PHPShell and browse through the server filesystem to check if your server is vulnerable.您可以临时安装PHPShell并浏览服务器文件系统以检查您的服务器是否存在漏洞。 (requires some commandline knowledge) (需要一些命令行知识)
解决方案2
5 2013-12-07 19:49:02
Another good solution and my personal favourite (especially when developing code that might not remain under my stringent .htaccess control) is securing the actual .ini file.另一个很好的解决方案和我个人最喜欢的(尤其是在开发可能不受我严格的 .htaccess 控制的代码时)是保护实际的 .ini 文件。 Thanks to a kind soul here - user notes: pd at frozen-bits dot de , what I do is:感谢这里的好心人 - 用户注释: pd at freeze-bits dot de ,我所做的是:
my.ini -> changes to my.ini.php
my.ini.php starts off: my.ini.php 开始:
;<?php
;die(); // For further security
;/*
[category]
name="value"
;*/
Works perfectly!完美运行! Access the file directly and all you see is ';'直接访问文件,你看到的只有';' and it is a valid, parseable .ini file.它是一个有效的,可解析的.ini文件。 What's not to like :)什么不喜欢:)
A few notes on actual implementation (apologies if this counts as "overshare" but maybe save someone some time):关于实际实施的一些注意事项(如果这算作“过度分享”,但可能会节省一些时间,对此表示歉意):
- This file makes my IDE very Upset and it keeps trying to auto-reformat which then makes PHP Upset.这个文件让我的 IDE 非常沮丧,它不断尝试自动重新格式化,这让 PHP 感到不安。 Blessings be on Notepad++.祝福记事本++。
- Don't forget the closing
;*/.不要忘记结束;*/。 It still works if you leave it out but PHP warns you that it is about to become Upset.如果您不使用它,它仍然有效,但 PHP 会警告您它即将变为 Upset。
Sorted.排序。
解决方案3
2 2008-10-19 05:39:46
The file will not be visible from apache.该文件在 apache 中不可见。 Obviously the best option is to put it outside of your site's root.显然,最好的选择是将其放在站点根目录之外。 If you can't do that, .htaccess files (or similar directives in your apache configs) is pretty much your only option.如果您不能这样做,.htaccess 文件(或 apache 配置中的类似指令)几乎是您唯一的选择。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.