在PHP常量和安全性中存储数据库凭据[重复]
Possible Duplicate:
Is it ever ok to store password in plain text in a php variable or php constant?
I used to store my db credentials in a PHP file like this:
<?php
define('HOST', 'localhost');
define('USER', 'db_user');
define('PASS', 'user_pass');
define('DB', 'database');
?>
I use constants but in a recently project, one of the PHP coders said that storing db credentials into constants wasn't secure. I don't get it. I tried to find some information but nobody says nothing about this.
Is there any security risk in storing db credentials into PHP constants?
可能重复: strong>
是它 是否可以在php变量或php常量中以明文形式存储密码? p> blockquote>我曾经将我的数据库凭据存储在一个 像这样的PHP文件: p>
&lt;?php define('HOST','localhost'); define('USER','db_user'); \ n define('PASS','user_pass'); define('DB','database'); ?&gt; code> pre>我使用常量 但是在最近的一个项目中,一位PHP编码员表示将数据库凭证存储到常量中并不安全。 我不明白。 我试图找到一些信息,但没有人对此有任何说法。 p>
将数据库凭据存储到PHP常量中是否存在安全风险? p> div>
The only risk is if you have the definitions under the document root. In that case, if something goes wrong with your server configuration and people can see your PHP code, the constants (and thus database credentials) will be exposed.
The most secure way (that I know of) is to have the credentials as part of the server environment that is restricted only to root. Then, developers can use _SERVER['db_user'], etc. This is potentially more secure in that the people who have access to the actual DB credentials are more limited. It also gives you the flexibility to use different credentials depending on the server (development vs. production, for example). However, you can see all server environment variables with phpinfo(), var_dump($_SERVER), etc. so you have to take care not to upload such things.
Is there any security risk in storing db credentials into PHP constants?
There always is some risk in storing important information, like username and password for a database.
But I can not imagine that using a constant is more a security risk than like saying using a variable.
A potential risk however is, that the configuration is written in code. So it's not really static. It's probably more fail-safe to use a configuration file instead which does not need to be executed itself.