问题
After reading through an article on a site, I became really worried for my own server's security...
Inside a PHP file, which is later on included on all my main php pages that get showed to users, my username and password (used all over my website - server root, mysql root etc) are inserted in plain text... is there anything to worry about? can anyone read the php file (like download it and read it instead of having the server execute it)?
Is there any risk of having my username and password stolen? they are simple text fields giving values to variables.
If so, is there any solution that you would suggest? like a crypto engine? or something?
Thanks in advance!
回答1:
Store your configuration file containing usernames and passwords outside of your publicly-accessible root folder.
For example, if your root folder is /home/username/public_html/ then store the config file in /home/username/.
You can still include the config file in your PHP scripts running in public_html but should anything go awry (i.e. your web server starts printing PHP script contents rather than processing scripts) then your usernames and passwords should still be safe.
回答2:
- Store the file outside the web root
- Set up the proper file permissions, so the other users can't use it.
来源:https://stackoverflow.com/questions/6582173/php-security-password-and-credentials-management