dongtong2021
2017-11-02 14:08
采纳率: 0%
浏览 120
已采纳

PHP:在.ini文件中存储敏感信息是好还是坏的方法?

I'm confused about something and need some explanations.

In my practice I normaly see that 90% of PHP developers all sensitive informations like database connections, FTP, SMTP setup etc. store inside some variable, array, objects or constants.

I wonder now is better to use some ini file out of rootand store there? Or is better to hide somewhere .ini file and denay access via .htaccess?

Generaly, I want to save that sensitive data on most secure way.

图片转代码服务由CSDN问答提供 功能建议

我对某些事情感到困惑,需要一些解释。

在我的 练习我正常地看到90%的PHP开发人员所有敏感信息,如数据库连接,FTP,SMTP设置等都存储在一些变量,数组,对象或常量中。

我想现在更好 从root用户那里使用一些ini文件并存储在那里? 或者最好通过.htaccess隐藏某处.ini文件和拒绝访问?

通常,我想以最安全的方式保存敏感数据。

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • douan0729 2017-11-02 14:19
    已采纳

    There is no perfectly safe choice, but some are better than others.

    Don't save sensitive information in your project's source code -- you don't want your passwords and API keys on github.

    Saving sensitive information in a database is fine, but then you still need somewhere to store the database credentials, and you're right back where you started.

    You can save sensitive information in environment variables. These would usually be set up in your web server's configuration file(s).

    Saving sensitive information in an ini file is fine, provided the following:

    • The file has the minimal permissions required.
    • The file is completely outside the web server's document root and thus can't ever be served directly. Don't put the file in your main directory and then use .htaccess to deny access to it.
    • The file is not committed to source control. If you're using git, edit your .gitignore so that the file is ignored.

    These should also go without saying:

    • The user account running the web server process should never have write permission to the files it's serving.
    • Other non-privileged users on the machine running the web server process should not have read access to the files it's serving.
    已采纳该答案
    评论
    解决 无用
    打赏 举报
  • dsgwdigu84950 2017-11-02 14:33

    For me, I would suggest to store it in a dot file such .env (like what Laravel does), or environment variables, or INI file (as what you said above) as long as it is hidden from the world or if some hack your server, they won't be able to see it easily or they won't be able to access it.

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题