stackoom
  简体   繁体   中英

Secure storage of database credentials

 原文  2012-05-30 22:50:00       php/ database/ security

Question

Had a major problem recently where my web hosting company messed up and all my php files were displayed in plain text. This was a major issue for me for obvious reasons. Mainly because mysql database details were exposed.

I am now trying to change the way in which my php files get the login information for the database so that this will never happen again even if the hosting company fail me.

my current set up looks like this : 

     include 'info.php';

    class Login {

var $host;
var $username;
var $password;
var $db;
var $url;

Inside the info.php is the username, password and so on for the database. I want to make it so that the info.php file can never be viewed and only my .php files are able to access info.php in order to get the login infomation.

How can i set this up? This is a bit of a tricky one for me to explain so please dont be harsh and -1 me for a bad description.. just ask and i will clear up any gaps in my description.

3 answers

solution1
 5 ACCPTED  2012-05-30 22:52:32

Simply place info.php outside your webroot. This way, you can include it, but should your web hosting f*#$ up, no one else can view that file, even as plain text.

You would then include it like this:

include('../info.php');

This way, even if someone finds out that you have a file called info.php that stores all your passwords, they cannot point their browser to that file.

The above would be the ideal and most watertight solution. However, if that is not possible due to permissions, the other option would be to place all sensitive files in a directory and block direct access to that directory using a .htaccess file.

In the directory you want to block off access to, place an .htaccess file with the following contents:

deny from all

solution2
 1  2012-05-30 22:57:07

If for some reason xbonez's answer doesn't work (lets say one doesn't have access to a non document_root folder).. You can achieve the same thing by using .htaccess 

<files info.php>
 order allow,deny
 deny from all
</files>

This, should in theory (non tested) protect the file from being used in the browser but not block php from including said file.

solution3
 -2  2012-05-30 22:56:45

创建重定向到文件的表单以获取示例“requests.php”,并为您的所有请求启用它。如果您的数据正确重定向到特定页面,如果不这样做。在交换机的末尾放置anoter重定向用这种方式,用户看不到那个页面。不要把它放在那里或者其他东西 - 只有逻辑。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Secure storage of database connection credentials How to save SSH credentials secure in database? Keeping database credentials secure in a PHP application How to secure database credentials stored in Laravel environment files? How can I secure my database credentials when using shared hosting and no access to outside the webroot? Storage of database credentials in php.ini or a php file (ex. database_connection.php)? Secure password storage Secure file storage in a server Secure password generation and storage Is this password storage method secure?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM