dsnpjz6907 2012-01-30 16:21
浏览 22
已采纳

在PHP常量和安全性中存储数据库凭据[重复]

Possible Duplicate:
Is it ever ok to store password in plain text in a php variable or php constant?

I used to store my db credentials in a PHP file like this:

<?php
    define('HOST', 'localhost');
    define('USER', 'db_user');
    define('PASS', 'user_pass');
    define('DB', 'database');
?>

I use constants but in a recently project, one of the PHP coders said that storing db credentials into constants wasn't secure. I don't get it. I tried to find some information but nobody says nothing about this.

Is there any security risk in storing db credentials into PHP constants?

  • 写回答

2条回答 默认 最新

  • douzhang2092 2012-01-30 16:27
    关注

    The only risk is if you have the definitions under the document root. In that case, if something goes wrong with your server configuration and people can see your PHP code, the constants (and thus database credentials) will be exposed.

    The most secure way (that I know of) is to have the credentials as part of the server environment that is restricted only to root. Then, developers can use _SERVER['db_user'], etc. This is potentially more secure in that the people who have access to the actual DB credentials are more limited. It also gives you the flexibility to use different credentials depending on the server (development vs. production, for example). However, you can see all server environment variables with phpinfo(), var_dump($_SERVER), etc. so you have to take care not to upload such things.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 用hfss做微带贴片阵列天线的时候分析设置有问题
  • ¥50 我撰写的python爬虫爬不了 要爬的网址有反爬机制
  • ¥15 Centos / PETSc / PETGEM
  • ¥15 centos7.9 IPv6端口telnet和端口监控问题
  • ¥120 计算机网络的新校区组网设计
  • ¥20 完全没有学习过GAN,看了CSDN的一篇文章,里面有代码但是完全不知道如何操作
  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 海浪数据 南海地区海况数据,波浪数据
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等