Factor it out into a separate config file. For one, it'll let you at the very least set some variable like "DEBUG_MODE" that will switch out your production credentials for your test environment ones. You can optionally not keep the separate file under version control if you like, or keep one with dummy credentials in your code repository so that users have to supply their own credentials instead of having access to global ones.
You should not hard code any credentials. Best thing is to read from a configuration file and cache them. Even in that case you better not put credentials in clear text - we need to encrypt the credentials in configuration files. At WSO2 all the credentials we read from configuration files are kept encrypted and use an approach called Secure Valut [a generic approach] to read those encrypted credentials and provide in clear text to the required application...
It seems reasonable to split them out so that you can share code without sharing machine specific information. This is useful for multiple developers who have more than one user for their dev DB.
Reading from a file shouldn't be that much of a burden, particularly a file of some format: xml, json, yaml, ...
As the other answers suggest, most large projects hard code the username and password somewhere in the project, usually in a configuration file. I have never seen any that do it another way, however in the specific case that non-logged-in users do not need database access, it is possible encrypt the DB credentials and use everyone's password as a passphrase to decrypt them. Another drawback is if the user forgets their password, they won't be able to recover it without admin intervention and all existing users would need their passwords to be reset.
发布评论
评论(4)
将其分解为单独的配置文件。其一,它至少可以让您设置一些变量,例如“DEBUG_MODE”,它将切换您的测试环境的生产凭据。如果您愿意,您可以选择不将单独的文件置于版本控制之下,或者在代码存储库中保留具有虚拟凭据的文件,以便用户必须提供自己的凭据,而不是访问全局凭据。
Factor it out into a separate config file. For one, it'll let you at the very least set some variable like "DEBUG_MODE" that will switch out your production credentials for your test environment ones. You can optionally not keep the separate file under version control if you like, or keep one with dummy credentials in your code repository so that users have to supply their own credentials instead of having access to global ones.
您不应该对任何凭据进行硬编码。最好的办法是从配置文件中读取并缓存它们。即使在这种情况下,您最好也不要以明文形式放置凭据 - 我们需要对配置文件中的凭据进行加密。在 WSO2,我们从配置文件中读取的所有凭据都保持加密状态,并使用一种称为 Secure Valut [通用方法] 的方法来读取这些加密凭据并以明文形式提供给所需的应用程序...
谢谢...
You should not hard code any credentials. Best thing is to read from a configuration file and cache them. Even in that case you better not put credentials in clear text - we need to encrypt the credentials in configuration files. At WSO2 all the credentials we read from configuration files are kept encrypted and use an approach called Secure Valut [a generic approach] to read those encrypted credentials and provide in clear text to the required application...
Thanks...
典型的 rails 配置 将用户名和密码存储在文件中。
将它们分开似乎是合理的,这样您就可以共享代码而不共享机器特定信息。这对于拥有多个开发数据库用户的多个开发人员来说非常有用。
从文件中读取不应该是太大的负担,特别是某种格式的文件:xml、json、yaml...
Typical rails configuration has usernames and passwords stored in a file.
It seems reasonable to split them out so that you can share code without sharing machine specific information. This is useful for multiple developers who have more than one user for their dev DB.
Reading from a file shouldn't be that much of a burden, particularly a file of some format: xml, json, yaml, ...
正如其他答案所表明的那样,大多数大型项目都会在项目中的某个位置(通常在配置文件中)对用户名和密码进行硬编码。我从未见过任何其他方式这样做,但是在非登录用户不需要数据库访问的特定情况下,可以加密数据库凭据并使用每个人的密码作为解密它们的密码。另一个缺点是,如果用户忘记密码,没有管理员干预,他们将无法恢复密码,并且所有现有用户都需要重置密码。
As the other answers suggest, most large projects hard code the username and password somewhere in the project, usually in a configuration file. I have never seen any that do it another way, however in the specific case that non-logged-in users do not need database access, it is possible encrypt the DB credentials and use everyone's password as a passphrase to decrypt them. Another drawback is if the user forgets their password, they won't be able to recover it without admin intervention and all existing users would need their passwords to be reset.