在 PHP 中解析 ini 文件比在代码中定义变量更好吗?
我正在阅读有关 PDO 的内容,并且遇到了 parse_ini_file 函数。出于安全原因,许多开发人员建议使用此函数来解析数据库设置,而不是在代码中硬编码数据库设置。
我的问题是,为了额外的“安全性”,为 PHP 应用程序的每次加载都读取一个文件是否有意义?
我想知道这个文件读取的成本有多高..
php 5.3 在评论中 http://www.php.net/manual/en/class.pdo.php
I was reading about PDO and I came across the parse_ini_file function. A number of developers suggested using this function to parse in db settings rather than hard coding the db settings in code for security reasons.
My question to you is, does it make sense to do a file read for every load of your PHP application for this extra "security" ?
I wonder how expensive this file read is..
php 5.3
in the comments
http://www.php.net/manual/en/class.pdo.php
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我真的不明白它如何更安全。
例如,如果您的数据库设置存储在主 Web 根目录之外的“config.php”文件中的定义中,那么它们就像存储在 .ini 中一样安全文件,并且不会有每页解析开销(除了必须按照正常情况包含配置文件之外)。
I don't really see how it's any more secure.
For example, if your DB settings are stored in defines within a "config.php" file outside of the main web root, they're just as secure as if they're were stored in a .ini file and there would be no per-page parsing overhead (other than having to include the config file as per normal).
PHP 文件中的硬编码设置不好,因为这些相同的 PHP 文件将被发送、复制、放入存储库等。密码应该得到更多的隐私保护。此外,源文件覆盖本地副本也很烦人。
请注意,我特指在项目代码库中嵌入常规 PHP 文件。如果您将配置设置放在位于所有这些外部的 PHP 文件中,则上述情况均不适用。
如果您担心解析一个配置文件的开销,那么您根本不应该使用 PHP...但是,您可以通过仅在无法找到缓存(例如,memcache)副本时解析它来限制文件读取。
Hard coding settings in PHP files is bad because those same PHP files will be sent around, copied, put into repositories, etc. The passwords should be treated with more privacy. Also, it's annoying to have to the source files overwrite your local copies.
Note that I'm referring specifically to embedding in regular PHP files in your project's codebase. If you place your config settings in a PHP file that sits external to all of that, then none of the above applies.
If you are worried about the overhead of parsing one config file, then you shouldn't be using PHP at all... However, you could limit file reads by parsing it only when a cached (e.g., memcache) copy cannot be found.
如果 ini 文件中存储的不仅仅是数据库访问权限,那么这是有意义的。它可以充当您应用程序的配置,因此您不必打开 10 个文件来更改 3 个硬编码变量/常量/其他内容。如果您不喜欢每次请求应用程序时都读取文件,请使用 php 文件来存储所有配置选项(将它们全部放在一个位置确实很好),并按照建议保留 ini/php配置文件从你的网络根目录中删除。
It makes sense if you have more than just db access stored in the ini file . It can act like a config for you're app so you don't have to open 10 files to change 3 hardcoded variables/constants/whatever . If you don't like reading a file each time you're app is requested then use a php file to store all you're config options ( keep them all in one place is realy good ) , and as sugested keep the ini/php config file out of you're web root .
可能不会。如果它是 .ini 文件,那么浏览器就可以访问它并下载它。至少 .php 有一个像样的空白屏幕。
Probably not. If its a .ini file then a browser can just visit it and download it. At least a .php has a decency of a blank screen.