发表新帖
发表新帖

How to secure database passwords in PHP?

后端 未结
关注
16 1195
闹比i
闹比i 2020-11-21 22:41

When a PHP application makes a database connection it of course generally needs to pass a login and password. If I\'m using a single, minimum-permission login for my applica

相关标签:
16条回答
  • 甜味超标
    2020-11-21 23:34

    If you are using PostgreSQL, then it looks in ~/.pgpass for passwords automatically. See the manual for more information.

    0 讨论(0)
  • 说谎
    2020-11-21 23:35

    If you're talking about the database password, as opposed to the password coming from a browser, the standard practice seems to be to put the database password in a PHP config file on the server.

    You just need to be sure that the php file containing the password has appropriate permissions on it. I.e. it should be readable only by the web server and by your user account.

    0 讨论(0)
  • 闹比i
    2020-11-21 23:37

    Store them in a file outside web root.

    0 讨论(0)
  • 天涯浪人
    2020-11-21 23:37

    Previously we stored DB user/pass in a configuration file, but have since hit paranoid mode -- adopting a policy of Defence in Depth.

    If your application is compromised, the user will have read access to your configuration file and so there is potential for a cracker to read this information. Configuration files can also get caught up in version control, or copied around servers.

    We have switched to storing user/pass in environment variables set in the Apache VirtualHost. This configuration is only readable by root -- hopefully your Apache user is not running as root.

    The con with this is that now the password is in a Global PHP variable.

    To mitigate this risk we have the following precautions:

    • The password is encrypted. We extend the PDO class to include logic for decrypting the password. If someone reads the code where we establish a connection, it won't be obvious that the connection is being established with an encrypted password and not the password itself.
    • The encrypted password is moved from the global variables into a private variable The application does this immediately to reduce the window that the value is available in the global space.
    • phpinfo() is disabled. PHPInfo is an easy target to get an overview of everything, including environment variables.
    0 讨论(0)
 看不清?
提交回复
热议问题