PHP5数据库密码会被盗吗?
大家好,我是 php 新手,我发现对于数据库连接,您可以直接将密码输入到 .php 文件中(“mysql_connect($host, $user, $pass, $db”)。我读到了有关哈希的内容,并且我'我将使用散列,但问题是用户是否可以下载预编译的 .php 文件并查看我的源代码,从而获取我的数据库密码,如果他写“domain/home”,我有一个 index.php 文件,该文件会阻止用户访问。进入目录。 先感谢您。
Hello guys I'm new to php and I discovered that for a database connection you input your password directly into .php file ("mysql_connect($host, $user, $pass, $db"). I read about hashing and I'm going to use hashing but the question is can the user download the precompiled .php file and view my source code and therefore get my database password. If he writes "domain/home" i have an index.php file which prevents the user from entering the directory.
Thank you in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
正如其他回答者所提到的,通常这应该不是问题,因为用户将无法看到 PHP 代码。但是,如果您打算与其他人共享代码,则在将其发送给某人之前删除用户名和密码可能会有点麻烦(并且,如果您忘记了他们会知道您的密码)。
因此,您可以将信息放入文件中,然后将其读入 PHP。例如,在您的主目录中创建一个名为
mysql.ini的文件,并将以下信息放入其中:然后,将其读入 PHP 并连接,如下所示:
请记住确保该文件位于不过,网络服务器的一部分不可公开访问,否则人们将能够读取您的登录信息。
As mentioned by other answerers, normally this shouldn't be a problem since users won't be able to see the PHP code. If, however, you plan to share the code with others, it can be a bit of a hassle to remove the username and password before sending it to somebody (and, if you forget they'll know your password).
So, you could put the info in a file and then read it into PHP. For example, create a file called
mysql.iniin your home directory and put the following information in it:Then, read it into PHP and connect, like this:
Remember to make sure that the file is in a section of the web server that is not publicly accessible, though, otherwise people will be able to read your login info.
您无法在散列 MySQL 密码的同时仍然连接到数据库。如果您可以使用散列密码进行连接,攻击者也可以获取散列并进行连接。如果您将用户的密码存储在数据库中,则散列(加盐后效果更好)是一件好事,但在存储数据库凭据时却不太有用。
大多数人不会直接在其主应用程序文件中包含包含所有凭据的 mysql_connect 调用,而是至少需要来自包含凭据的文档根外部的配置文件。
如果您在文档根目录之外有像
config.php这样的文件,那么除非他们能在服务器中找到目录遍历漏洞,否则无法远程访问config.php。You cannot hash the MySQL password and still connect to the database. If you could connect with a hashed password, an attacker could get the hash and connect just as well. Hashing (even better when salted) is a good thing for if you're storing passwords for your users in a database, but isn't really usable when storing database credentials.
Most people, rather than directly including a
mysql_connectcall with all the credentials in their main application file, would at leastrequirea configuration file from outside the document root containing the credentials.If you have a file like
config.phpoutside of the document root, then unless they can find a directory traversal hole in the server,config.phpcannot be accessed remotely.不通过 mod_php 本身,但如果 Web 应用程序(或 Web 服务器)中存在某些安全漏洞,那么有人肯定可以读取随机 PHP 文件。如果攻击者可以闯入 Web 服务器,那么他们就可以检索数据库密码 - 是的,即使您将其存储在 Web 根目录之外。
你应该假设这有一天会发生;尝试限制此类信息泄露的后果。重点限制您连接的数据库帐户。 Web 应用程序不应连接到对数据库中的每个表具有读/写访问权限的数据库帐户。您应该限制数据库用户,使其只能从需要读取的表中读取数据,并且只能写入需要写入的表中。
使用存储过程是添加额外安全层的好方法,因为您可以在数据库本身中执行有关允许站点用户执行哪些操作的检查。那么Web DB 用户应该只能通过过程与数据库进行交互。即使攻击者能够发出随机数据库查询,这也会限制攻击者可以采取的操作。
Not through mod_php itself, but if there is some security vulnerability in the web application (or the web server) then someone could certainly read random PHP files. If the attacker can break into the web server, then they can retrieve the database password -- yes, even if you store it outside of the web root.
You should assume that this will happen some day; try to limit the consequences of such an information leak. Focus on restricting the database account you connect with. A web application should not be connecting to a database account that has read/write access to every table in the database. You should restrict the DB user so it can only read from tables it needs to read from, and only write to tables that it needs to write to.
Using stored procedures is a good way to add an additional layer of security, since you can perform checks in the database itself regarding what actions the site user is allowed to perform. Then the web DB user should only be able to interact with the database through procedures. This would limit the actions that an attacker could take even if he was able to issue random database queries.
查看 php 页面的源代码 - 看到任何 php 代码吗?在发送到用户浏览器之前,您不应该由服务器运行它。仍然建议您将包含登录详细信息的文件放在 Web 根目录下,以防服务器出现故障并且无法解析 php 文件。
view source of your php page- see any php code? you shouldn't its run by the server before being sent to the users browser. still it is recommended you put the file with the login details below the web root, in case something breaks on the server and php files are not parsed.