I'm editing web pages directly using ajax, and php with simple html dom. I dont see the point of using a database when I can do without. However, my hands go cold with fright when I think of storing admin password for the app on the webserver using serialize even though it is above htdocs, it is encrypted and I am using an anti brute force script.
I dont want to use a database just for one password but is it secure enough?
I look forward to your thoughts...
分享 A file with the correct chmod permissions is just as secure as a database storage in this instance.
Think about it: the mysql database is actually stored in binary files on your server's filesystem. If a malicious user gains access to your server they have the same access to the binary database files as any other file, including your serialized and encrypted data in a text file.
As long as this text file isn't in a directory that's publicly accessible via the web server it's no less secure. Of course, if someone gets root access you're pretty much foobar'd either way.
What you should never do is store clear text passwords. md5() is (just) okay. sha1() has now emerged as a better option for encrypting this type of data.
分享
