发表新帖
发表新帖

What is the best way to keep your MySQL credentials private in PHP?

前端 未结
关注
4 552
孤独总比滥情好
孤独总比滥情好 2021-01-25 18:37

When it comes to programming your web application in php, what is the most efficient way to prevent your MySQL information from being disclosed or discovered by another person (

相关标签:
4条回答
  • 臣服心动
    2021-01-25 18:49
    1. Keep your credentials in a separate .php file outside the document root (so it is not directly accessible over the web)
    2. It is better to keep it a .php file instead of, say, .inc, so that even if it is accidentally accessible over the web, it will be executed and not displayed directly
    3. Do not keep the username and password after you have established the connection (i.e., unset the vars or array keys holding the credentials after you don't need them anymore); you cannot accidentally expose what you don't have anymore
    4. Do not allow repeated inclusion of the credentials file (e.g. if (defined('DB_AUTH_LOADED')) return; define('DB_AUTH_LOADED', 1); in your credentials file), in order to avoid any possible redefinition of your credentials vars

    This should protect you from direct access to your credentials and from accidental leaks of the credentials by your own code. If attackers can upload PHP files to your server and manage to actually execute them, the fight is pretty much lost, but the above measures should keep you fairly safe from accidentally revealing your creds yourself.

    0 讨论(0)
  • 闹比i
    2021-01-25 19:00

    I cannot say if this is the best, but this is how I do it;

    I have a config.php file, which holds my DB connection credentials, and is not directly accessible. I have a DB class which requires the config.php to make the connection, and I have a site class which extends the DB class.

    This is a very common way of doing things, and is generally accepted.

    0 讨论(0)
  • 时光取名叫无心
    2021-01-25 19:08

    Another thing you can do (should your credentials be compromised) is to make sure that the mysql user you set up for tasks which PHP will be using is barred from making DROP statements and maybe even DELETE statements if you can structure your data so.

    Give that user the minimum level of access to other databases possible, probably only the one that holds that users data.

    0 讨论(0)
  • 生来不讨喜
    2021-01-25 19:14

    Classes, includes? Plenty of ways to do it but ultimately if someone has access to the unparsed PHP files, they'll have your MySQL login details.

    0 讨论(0)
 看不清?
提交回复
热议问题