问题
I just got a task to work on an old-styled-developed webpage.
It means, the common used variables / constants and variables of database connection are in the viewing php-engine, not in a separated file. :-(
I thought I will put them into a config.php or config.inc file, and just using with require_once('/path/filename'); in the engine.
My problem is , that I am not familiar with the securing, so I thought, I change the privileges (maybe 755?).
Is there anything else I could do?
回答1:
Move the config file outside the public folder so it cannot be accessed via URL. Otherwise, a misconfiguration in your webserver might send the file unparsed (someone might forget to tell the webserver that .inc files should be run through php. I never name them .inc for that reason. Always .php). It's rare but I had this happen at least two times on sites I visited and they had credentials in their files, too.
回答2:
The file permissions need to remain. But you can indeed make the script itself inaccessible via:
<Files config.php>
Order Deny
Deny From All
</Files>
But that's just a superficial precaution. If you name that script "config.php" it is not web-accessible anyway.
If you are on shared hosting, there is nothing you can do to prevent snooping from other accounts. This requires a server setup with suphp/suexec for restricting file system access to other users.
回答3:
if you name your config file as whatever.php and it only has constants or vars definition (or even more code) and you include_once it, this has no security issues. Wordpress uses this approach
来源:https://stackoverflow.com/questions/8742507/best-practice-to-hide-secure-the-php-engine-config-file