I'm going to use the phpmailer class in my WordPress-plugin to support the use of SMTP in my e-mail function. Is it safe to store the password in the PHP code? I don't feel 100% comfortable with leaving my login there. So my questions: Is it safe enough? How can I easily make it more secure; should I hash it in a database or something? I know MD5 isn't really that secure, but I guess it is better than putting the password in the source code?
我将在我的WordPress插件中使用phpmailer类来支持在我的电子邮件功能中使用SMTP。将密码存储在PHP代码中是否安全?离开我的登录时,我感觉不是很舒服。所以我的问题:它足够安全吗?我怎样才能轻松使它更安全;我应该在数据库中哈希吗?我知道MD5并不是那么安全,但我想这比把密码放在源代码中更好?
2 个解决方案
#1
1
Essentially you can't - and there are many posts on here saying exactly that. You can however obfuscate it to keep opportunists away. The most straightforward way is to put your password in an external config file (which helps you avoid obvious mistakes like checking your password into github). You can encrypt it to some extent, but at some point you need to decrypt it with some other supposedly secret key, so you're back at square one.
基本上你不能 - 而且这里有很多帖子都是这么说的。然而,你可以混淆它以保持机会主义者。最直接的方法是将您的密码放在外部配置文件中(这可以帮助您避免明显的错误,例如将密码检入github)。你可以在某种程度上加密它,但在某些时候你需要用一些其他所谓的秘密密钥来解密它,所以你回到了原点。
md5 and sha1 (or any other hashing function) have nothing to do with this question; hash functions are simply not applicable to this use case.
md5和sha1(或任何其他散列函数)与此问题无关;哈希函数根本不适用于此用例。
#2
-1
Tons of sites store passwords inside PHP source code. If a password is stored inside <?php ... ?> tags, it can be considered secure.
大量站点将密码存储在PHP源代码中。如果密码存储在 标记内,则可以认为是安全的。
PHP source code is rendered by the PHP engine before being exposed, which is a necessary security component. There is no known way to read it, unless your site itself has security vulnerabilities.
PHP源代码在公开之前由PHP引擎呈现,这是必要的安全组件。除非您的网站本身存在安全漏洞,否则没有已知的方法来阅读它。
Sources:
Possible to view PHP code of a website?
可以查看网站的PHP代码吗?
http://www.webmasterworld.com/forum88/10926.html
用PHP阅读源代码
http://www.vodahost.com/vodatalk/mysql-php/15061-php-source-code-php-files.html
#1
1
Essentially you can't - and there are many posts on here saying exactly that. You can however obfuscate it to keep opportunists away. The most straightforward way is to put your password in an external config file (which helps you avoid obvious mistakes like checking your password into github). You can encrypt it to some extent, but at some point you need to decrypt it with some other supposedly secret key, so you're back at square one.
基本上你不能 - 而且这里有很多帖子都是这么说的。然而,你可以混淆它以保持机会主义者。最直接的方法是将您的密码放在外部配置文件中(这可以帮助您避免明显的错误,例如将密码检入github)。你可以在某种程度上加密它,但在某些时候你需要用一些其他所谓的秘密密钥来解密它,所以你回到了原点。
md5 and sha1 (or any other hashing function) have nothing to do with this question; hash functions are simply not applicable to this use case.
md5和sha1(或任何其他散列函数)与此问题无关;哈希函数根本不适用于此用例。
#2
-1
Tons of sites store passwords inside PHP source code. If a password is stored inside <?php ... ?> tags, it can be considered secure.
大量站点将密码存储在PHP源代码中。如果密码存储在 标记内,则可以认为是安全的。
PHP source code is rendered by the PHP engine before being exposed, which is a necessary security component. There is no known way to read it, unless your site itself has security vulnerabilities.
PHP源代码在公开之前由PHP引擎呈现,这是必要的安全组件。除非您的网站本身存在安全漏洞,否则没有已知的方法来阅读它。
Sources:
Possible to view PHP code of a website?
可以查看网站的PHP代码吗?
http://www.webmasterworld.com/forum88/10926.html
用PHP阅读源代码
http://www.vodahost.com/vodatalk/mysql-php/15061-php-source-code-php-files.html