问题
I feel a bit anxious to put my database username, password and encryption keys into a PHP file that everyone who hacked himself into the server could easily read. Is it maybe possible to load PHP and tell it the passwords it might need upfront?
My question is simple: Is there any other way to let PHP know about the DB password and key other than to put everything into one file?
Any ideas are welcome.
回答1:
To my knowledge you will have to declare your variables at some point in order to initiate a DB connection. You can, however, do certain things to make it more difficult for someone to read it.
In addition to safe programming practices mentioned in another answer, you can be sure to only store your passwords in one file (such as Config.php) and include it in your database connection function. Moreover, you can store this variable outside the web root, meaning that people will not be able to access it unless they have server access.
You can also make it more difficult to be read for someone who gains access. This includes encrypting it with a Symmetric Key Algorithm, and then decrypting it when used. Note that the encryption/decryption key will have to also be stored on the server which, again, make this little more than an inconvenience.
Take proper security steps in securing your code, and restrict your database so it can only be accessed locally. This should provide ample security.
回答2:
Technically speaking, nobody cant see your php scripts. Anyways, I just updated my DB macros to the newest standards. This is how I do things in my CMS:
config.php file:
<?
if (!defined('A52CMS')) {die('What are you looking for? 0.o');}
$config_mysql = array(
'database' => 'databasename1',
'user' => 'username1',
'password' => 'password1',
'table_prefix' => 'a52_'
);
db_macros.php file:
<?
if (!defined('A52CMS')) {die('What are you looking for? 0.o');}
class DB {
protected $default_config = array(
'server' => 'localhost',
'database' => '',
'user' => 'root',
'password' => '',
'table_prefix' => 'a52_',
'mysql_config_array' => 'config_mysql'
);
function __construct ($config_mysql) {
$this->config = array_merge($this->default_config, $config_mysql);
/* There are some secret connection related stuff here */
mysql_query("SET NAMES utf8");
unset($this->config['password']);
unset($GLOBALS[$this->config['mysql_config_array']]);
}
/* There are alot of mysql related functions here */
function __destruct () {
mysql_close($this->conn);
if (@mysql_ping($this->conn)) {
CriticalError('Closing mysql connection was unsuccessful!');
}
}
}
core.php file:
<?
if (!defined('A52CMS')) {die('What are you looking for? 0.o');}
require('config.php');
// Lets try to display the mysql raw data
print_r($config_mysql); // displays something
require('db_macros.php');
$DB = new DB($config_mysql);
// Lets try to display the mysql raw data AGAIN
print_r($config_mysql); // displays nothing
index.php file:
<?
define('A52CMS', true);
require('core.php');
// This where the content starts.. if some plugin is being included, then mysql data is already unset, so basically you cannot hack them..
You might get some ideas how to make your applications little bit more secure. Also you might get some new ideas on how to contruct your custom mysql class (if you havent done so already.)
回答3:
- make secure scripts. If your scripts are secure, there's no way to get hacked
- make your scripts which contains password(s) only apache-readable
- make sure access to your password files are out of web scope
I did not even see another method to "save" password(s) than these
来源:https://stackoverflow.com/questions/7264203/load-db-password-and-keys-into-phps-memory-on-startup