How to secure database passwords in PHP?

后端 未结 16 1225
闹比i
闹比i 2020-11-21 22:41

When a PHP application makes a database connection it of course generally needs to pass a login and password. If I\'m using a single, minimum-permission login for my applica

相关标签:
16条回答
  • 2020-11-21 23:34

    If you are using PostgreSQL, then it looks in ~/.pgpass for passwords automatically. See the manual for more information.

    0 讨论(0)
  • 2020-11-21 23:35

    If you're talking about the database password, as opposed to the password coming from a browser, the standard practice seems to be to put the database password in a PHP config file on the server.

    You just need to be sure that the php file containing the password has appropriate permissions on it. I.e. it should be readable only by the web server and by your user account.

    0 讨论(0)
  • 2020-11-21 23:37

    Store them in a file outside web root.

    0 讨论(0)
  • 2020-11-21 23:37

    Previously we stored DB user/pass in a configuration file, but have since hit paranoid mode -- adopting a policy of Defence in Depth.

    If your application is compromised, the user will have read access to your configuration file and so there is potential for a cracker to read this information. Configuration files can also get caught up in version control, or copied around servers.

    We have switched to storing user/pass in environment variables set in the Apache VirtualHost. This configuration is only readable by root -- hopefully your Apache user is not running as root.

    The con with this is that now the password is in a Global PHP variable.

    To mitigate this risk we have the following precautions:

    • The password is encrypted. We extend the PDO class to include logic for decrypting the password. If someone reads the code where we establish a connection, it won't be obvious that the connection is being established with an encrypted password and not the password itself.
    • The encrypted password is moved from the global variables into a private variable The application does this immediately to reduce the window that the value is available in the global space.
    • phpinfo() is disabled. PHPInfo is an easy target to get an overview of everything, including environment variables.
    0 讨论(0)
提交回复
热议问题