在PHP网站中安全存储数据库凭据的位置
我正在开发一个网站,该网站最终将连接到mySQL数据库.我的问题是我如何安全地存储这些凭据,以便在我的PHP站点中访问该数据库,而又不会因为例如服务器将PHP作为普通文本返回而意外损坏这些凭据的风险?任何帮助表示赞赏,谢谢! :)
I am developing a website that will eventually be connecting to a mySQL database. My question is how do I safely and securely store those credentials to access that database within my PHP site without risk of them accidentally being compromised by, for example, the server returning PHP as normal text? Any help is appreciated, thanks! :)
此问题的常见做法包括将数据库凭据放入非PHP的配置文件(例如.ini文件)中,然后使用PHP读取.为了增加安全性,您还应该将配置文件放置在Web根目录之外,这样可以确保没有人可以通过直接导航到该文件来访问该文件.
Common practices for this problem include putting the database credentials in a configuration file that is not PHP, such as a .ini file, and then reading that with PHP. To add extra security you should also put the configuration file outside of the web root, so that you can be sure no one can access the file by navigating directly to it.
例如,Laravel框架(除其他外)在/public目录中定义了Web根目录,而在该目录之外的是一个.env文件,其中包含数据库凭据以及其他设置.
For example, the Laravel framework (among others) define the web root in the /public directory, while outside that directory is a .env file containing database credentials among other settings.
在这里查看更多信息:如何在PHP中保护数据库密码?
Have a look here for more info: How to secure database passwords in PHP?
但是,更重要的是,您永远不必担心将PHP用作纯文本.采取适当的开发预防措施以确保永远不会发生这种情况.一些起点是:
More importantly though, you should never have to worry about your PHP being served as plain text. Take the proper development precautions to ensure this never happens. Some starting points are:
- 确保已安装PHP!
- 确保正确打开和关闭标签
- 确保文件扩展名是
.php而不是.html(除非您使用显示错误 ini)
- Making sure you have PHP installed!
- Make sure you open and close your tags properly
- Make sure your file extension is
.phpand not.html(unless you use this work around) - Also make sure in production code that you aren't displaying errors on the page (display_errors ini)