如何在PHP中保护数据库密码?

时间:2022-12-13 12:35:39

When a PHP application makes a database connection it of course generally needs to pass a login and password. If I'm using a single, minimum-permission login for my application, then the PHP needs to know that login and password somewhere. What is the best way to secure that password? It seems like just writing it in the PHP code isn't a good idea.

当一个PHP应用程序创建数据库连接时,它通常需要通过一个登录和密码。如果我为我的应用程序使用一个最小权限登录,那么PHP需要知道登录名和密码。保护密码的最佳方法是什么?似乎仅仅用PHP代码编写它不是一个好主意。

17 个解决方案

#1


206  

Several people misread this as a question about how to store passwords in a database. That is wrong. It is about how to store the password that lets you get to the database.

一些人错误地认为这是一个关于如何在数据库中存储密码的问题。这是错误的。它是关于如何存储允许您访问数据库的密码。

The usual solution is to move the password out of source-code into a configuration file. Then leave administration and securing that configuration file up to your system administrators. That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.

通常的解决方案是将密码从源代码移到配置文件中。然后将管理和保护配置文件留给系统管理员。这样,开发人员就不需要知道任何关于生产密码的信息,而且在源代码控制中也没有密码记录。

#2


91  

If you're hosting on someone else's server and don't have access outside your webroot, you can always put your password and/or database connection in a file and then lock the file using a .htaccess:

如果您是在别人的服务器上托管,并且在webroot之外没有访问权限,您可以将密码和/或数据库连接放在一个文件中,然后使用.htaccess锁定文件:

<files mypasswdfile>
order allow,deny
deny from all
</files>

#3


36  

Store them in a file outside web root.

将它们存储在web根目录之外的文件中。

#4


34  

The most secure way is to not have the information specified in your PHP code at all.

最安全的方法是完全不使用PHP代码中指定的信息。

If you're using Apache that means to set the connection details in your httpd.conf or virtual hosts file file. If you do that you can call mysql_connect() with no parameters, which means PHP will never ever output your information.

如果您正在使用Apache,这意味着要在您的httpd中设置连接细节。conf或虚拟主机文件。如果这样做,您可以在没有参数的情况下调用mysql_connect(),这意味着PHP永远不会输出您的信息。

This is how you specify these values in those files:

这就是在这些文件中指定这些值的方法:

php_value mysql.default.user      myusername
php_value mysql.default.password  mypassword
php_value mysql.default.host      server

Then you open your mysql connection like this:

然后像这样打开mysql连接:

<?php
$db = mysqli_connect();

Or like this:

或者像这样:

<?php
$db = mysqli_connect(ini_get("mysql.default.user"),
                     ini_get("mysql.default.password"),
                     ini_get("mysql.default.host"));

#5


32  

For extremely secure systems we encrypt the database password in a configuration file (which itself is secured by the system administrator). On application/server startup the application then prompts the system administrator for the decryption key. The database password is then read from the config file, decrypted, and stored in memory for future use. Still not 100% secure since it is stored in memory decrypted, but you have to call it 'secure enough' at some point!

对于非常安全的系统,我们加密配置文件中的数据库密码(它本身由系统管理员保护)。在应用程序/服务器启动时,应用程序会提示系统管理员输入解密密钥。然后,从配置文件中读取数据库密码,并对其进行解密,并将其存储在内存中以备将来使用。仍然不是100%安全,因为它被存储在内存解密中,但是你必须在某个时刻调用它“足够安全”!

#6


12  

This solution is general, in that it is useful for both open and closed source applications.

这个解决方案是通用的,因为它对开放源码和封闭源码应用程序都很有用。

  1. Create an OS user for your application. See http://en.wikipedia.org/wiki/Principle_of_least_privilege
  2. 为您的应用程序创建一个OS用户。参见http://en.wikipedia.org/wiki/Principle_of_least_privilege
  3. Create a (non-session) OS environment variable for that user, with the password
  4. 使用密码为该用户创建(非会话)OS环境变量
  5. Run the application as that user
  6. 以该用户的身份运行应用程序

Advantages:

优点:

  1. You won't check your passwords into source control by accident, because you can't
  2. 您不会偶然地将您的密码检查到源代码控制中,因为您不能这样做
  3. You won't accidentally screw up file permissions. Well, you might, but it won't affect this.
  4. 您不会意外地搞砸文件权限。你可能会,但不会影响到这个。
  5. Can only be read by root or that user. Root can read all your files and encryption keys anyways.
  6. 只能由根用户或该用户读取。Root用户可以读取所有的文件和加密密钥。
  7. If you use encryption, how are you storing the key securely?
  8. 如果您使用加密,您如何安全地存储密钥?
  9. Works x-platform
  10. 作品x-platform
  11. Be sure to not pass the envvar to untrusted child processes
  12. 确保不要将envvar传递给不受信任的子进程。

This method is suggested by Heroku, who are very successful.

这个方法是Heroku提出的,他非常成功。

#7


10  

if it is possible to create the database connection in the same file where the credentials are stored. Inline the credentials in the connect statement.

如果可以在存储凭证的同一个文件中创建数据库连接。在connect语句中内联凭据。

mysql_connect("localhost", "me", "mypass");

Otherwise it is best to unset the credentials after the connect statement, because credentials that are not in memory, can't be read from memory ;)

否则,最好在connect语句之后取消对凭据的设置,因为不在内存中的凭据不能从内存中读取;

include("/outside-webroot/db_settings.php");  
mysql_connect("localhost", $db_user, $db_pass);  
unset ($db_user, $db_pass);  

#8


7  

Your choices are kind of limited as as you say you need the password to access the database. One general approach is to store the username and password in a seperate configuration file rather than the main script. Then be sure to store that outside the main web tree. That was if there is a web configuration problem that leaves your php files being simply displayed as text rather than being executed you haven't exposed the password.

您的选择有点有限,正如您所说的,您需要密码来访问数据库。一种通用的方法是将用户名和密码存储在独立的配置文件中,而不是主脚本中。然后确保将其存储在主web树之外。如果存在web配置问题,使php文件仅仅显示为文本而不是执行,那么您就没有公开密码。

Other than that you are on the right lines with minimal access for the account being used. Add to that

除此之外,您在正确的行上,对所使用的帐户的访问是最少的。再加上

  • Don't use the combination of username/password for anything else
  • 不要使用用户名/密码的组合
  • Configure the database server to only accept connections from the web host for that user (localhost is even better if the DB is on the same machine) That way even if the credentials are exposed they are no use to anyone unless they have other access to the machine.
  • 将数据库服务器配置为仅接受来自该用户的web主机的连接(如果DB在同一台机器上,那么localhost会更好),即使证书被公开,也不会对任何人有用,除非他们有对该机器的其他访问权限。
  • Obfuscate the password (even ROT13 will do) it won't put up much defense if some does get access to the file, but at least it will prevent casual viewing of it.
  • 模糊密码(即使是ROT13也可以),如果有些人确实能够访问该文件,它就不会进行太多的防御,但至少它会阻止对它的随意查看。

Peter

彼得

#9


5  

Put the database password in a file, make it read-only to the user serving the files.

将数据库密码放入文件中,使其对服务于文件的用户是只读的。

Unless you have some means of only allowing the php server process to access the database, this is pretty much all you can do.

除非您有一些方法只允许php服务器进程访问数据库,否则这几乎是您所能做的。

#10


5  

If you are using PostgreSQL, then it looks in ~/.pgpass for passwords automatically. See the manual for more information.

如果您正在使用PostgreSQL,那么它将在~/中查找。为密码自动pgpass。有关更多信息,请参阅手册。

#11


4  

I think the OP means the database password.

我认为OP意味着数据库密码。

Unless someone gains access to your server via FTP or SSH (in which case you're already buggered), I wouldn't worry about storing passwords in plaintext in PHP files. Most PHP applications I've seen do it that way, for example phpbb.

除非有人能够通过FTP或SSH访问您的服务器(在这种情况下,您已经陷入混乱),否则我不会担心在PHP文件中以明文方式存储密码。我见过的大多数PHP应用程序都是这样做的,例如phpbb。

#12


4  

If you're talking about the database password, as opposed to the password coming from a browser, the standard practice seems to be to put the database password in a PHP config file on the server.

如果您谈论的是数据库密码,而不是来自浏览器的密码,那么标准的做法似乎是将数据库密码放在服务器上的PHP配置文件中。

You just need to be sure that the php file containing the password has appropriate permissions on it. I.e. it should be readable only by the web server and by your user account.

您只需要确保包含密码的php文件具有相应的权限。也就是说,它只能由web服务器和用户帐户来读取。

#13


3  

An additional trick is to use a PHP separate configuration file that looks like that :

另外一个技巧是使用一个PHP单独的配置文件,它看起来是这样的:

<?php exit() ?>

[...]

Plain text data including password

This does not prevent you from setting access rules properly. But in the case your web site is hacked, a "require" or an "include" will just exit the script at the first line so it's even harder to get the data.

这并不妨碍您正确地设置访问规则。但是,如果你的网站被黑了,一个“要求”或“包含”会在第一行退出脚本,因此获取数据会更加困难。

Nevertheless, do not ever let configuration files in a directory that can be accessed through the web. You should have a "Web" folder containing your controler code, css, pictures and js. That's all. Anything else goes in offline folders.

不过,不要让配置文件在目录中可以通过web访问。您应该有一个“Web”文件夹,其中包含您的控件代码、css、图片和js。这是所有。任何东西都可以放到脱机文件夹中。

#14


3  

Best way is to not store the password at all!
For instance, if you're on a Windows system, and connecting to SQL Server, you can use Integrated Authentication to connect to the database without a password, using the current process's identity.

最好的方法是根本不存储密码!例如,如果您在一个Windows系统上,并连接到SQL Server,您可以使用集成身份验证,使用当前进程的标识,不带密码地连接到数据库。

If you do need to connect with a password, first encrypt it, using strong encryption (e.g. using AES-256, and then protect the encryption key, or using asymmetric encryption and have the OS protect the cert), and then store it in a configuration file (outside of the web directory) with strong ACLs.

如果你需要联系一个密码,第一次加密,使用强大的加密(如使用aes - 256,然后保护加密密钥,或使用非对称加密和操作系统保护cert),然后将其存储在一个配置文件(web目录之外),并有很强的acl。

#15


3  

Just putting it into a config file somewhere is the way it's usually done. Just make sure you:

只是把它放到某个配置文件中就可以了。只要确保你:

  1. disallow database access from any servers outside your network,
  2. 禁止从网络之外的任何服务器访问数据库,
  3. take care not to accidentally show the password to users (in an error message, or through PHP files accidentally being served as HTML, etcetera.)
  4. 注意不要意外地向用户显示密码(在错误消息中,或者通过PHP文件意外地被用作HTML等)。

#16


3  

We have solved it in this way:

我们已经这样解决了:

  1. Use memcache on server, with open connection from other password server.
  2. 在服务器上使用memcache,与其他密码服务器打开连接。
  3. Save to memcache the password (or even all the password.php file encrypted) plus the decrypt key.
  4. 保存到memcache密码(甚至所有密码)。php文件加密)加上解密密钥。
  5. The web site, calls the memcache key holding the password file passphrase and decrypt in memory all the passwords.
  6. 这个网站,调用memcache密钥保存密码文件密码,并在内存中解密所有的密码。
  7. The password server send a new encrypted password file every 5 minutes.
  8. 密码服务器每5分钟发送一次新的加密密码文件。
  9. If you using encrypted password.php on your project, you put an audit, that check if this file was touched externally - or viewed. When this happens, you automatically can clean the memory, as well as close the server for access.
  10. 如果您使用加密的密码。在项目的php上,您放置一个审计,检查这个文件是否被外部触摸或查看。当发生这种情况时,您可以自动清理内存,并关闭服务器进行访问。

#17


3  

Previously we stored DB user/pass in a configuration file, but have since hit paranoid mode -- adopting a policy of Defence in Depth.

以前,我们将DB用户/pass存储在一个配置文件中,但是现在已经使用了paranoid模式——采用了一种深度防御策略。

If your application is compromised, the user will have read access to your configuration file and so there is potential for a cracker to read this information. Configuration files can also get caught up in version control, or copied around servers.

如果您的应用程序受到损害,用户将具有对配置文件的读访问权,因此有可能由cracker读取这些信息。配置文件也可以在版本控制中被捕获,或者在服务器周围被复制。

We have switched to storing user/pass in environment variables set in the Apache VirtualHost. This configuration is only readable by root -- hopefully your Apache user is not running as root.

我们已经切换到存储Apache VirtualHost中设置的用户/传递环境变量。此配置仅可由root用户读取——希望您的Apache用户不是作为root用户运行的。

The con with this is that now the password is in a Global PHP variable.

这样做的缺点是,现在密码在全局PHP变量中。

To mitigate this risk we have the following precautions:

为了减轻这种风险,我们有以下预防措施:

  • The password is encrypted. We extend the PDO class to include logic for decrypting the password. If someone reads the code where we establish a connection, it won't be obvious that the connection is being established with an encrypted password and not the password itself.
  • 密码是加密的。我们扩展了PDO类,以包含解密密码的逻辑。如果有人读取我们建立连接的代码,那么很明显,连接是用加密的密码建立的,而不是密码本身。
  • The encrypted password is moved from the global variables into a private variable The application does this immediately to reduce the window that the value is available in the global space.
  • 加密的密码从全局变量转移到一个私有变量,应用程序立即这样做,以减少该值在全局空间中可用的窗口。
  • phpinfo() is disabled. PHPInfo is an easy target to get an overview of everything, including environment variables.
  • phpinfo()是禁用的。PHPInfo是获取所有内容(包括环境变量)的一个简单目标。

#1


206  

Several people misread this as a question about how to store passwords in a database. That is wrong. It is about how to store the password that lets you get to the database.

一些人错误地认为这是一个关于如何在数据库中存储密码的问题。这是错误的。它是关于如何存储允许您访问数据库的密码。

The usual solution is to move the password out of source-code into a configuration file. Then leave administration and securing that configuration file up to your system administrators. That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.

通常的解决方案是将密码从源代码移到配置文件中。然后将管理和保护配置文件留给系统管理员。这样,开发人员就不需要知道任何关于生产密码的信息,而且在源代码控制中也没有密码记录。

#2


91  

If you're hosting on someone else's server and don't have access outside your webroot, you can always put your password and/or database connection in a file and then lock the file using a .htaccess:

如果您是在别人的服务器上托管,并且在webroot之外没有访问权限,您可以将密码和/或数据库连接放在一个文件中,然后使用.htaccess锁定文件:

<files mypasswdfile>
order allow,deny
deny from all
</files>

#3


36  

Store them in a file outside web root.

将它们存储在web根目录之外的文件中。

#4


34  

The most secure way is to not have the information specified in your PHP code at all.

最安全的方法是完全不使用PHP代码中指定的信息。

If you're using Apache that means to set the connection details in your httpd.conf or virtual hosts file file. If you do that you can call mysql_connect() with no parameters, which means PHP will never ever output your information.

如果您正在使用Apache,这意味着要在您的httpd中设置连接细节。conf或虚拟主机文件。如果这样做,您可以在没有参数的情况下调用mysql_connect(),这意味着PHP永远不会输出您的信息。

This is how you specify these values in those files:

这就是在这些文件中指定这些值的方法:

php_value mysql.default.user      myusername
php_value mysql.default.password  mypassword
php_value mysql.default.host      server

Then you open your mysql connection like this:

然后像这样打开mysql连接:

<?php
$db = mysqli_connect();

Or like this:

或者像这样:

<?php
$db = mysqli_connect(ini_get("mysql.default.user"),
                     ini_get("mysql.default.password"),
                     ini_get("mysql.default.host"));

#5


32  

For extremely secure systems we encrypt the database password in a configuration file (which itself is secured by the system administrator). On application/server startup the application then prompts the system administrator for the decryption key. The database password is then read from the config file, decrypted, and stored in memory for future use. Still not 100% secure since it is stored in memory decrypted, but you have to call it 'secure enough' at some point!

对于非常安全的系统,我们加密配置文件中的数据库密码(它本身由系统管理员保护)。在应用程序/服务器启动时,应用程序会提示系统管理员输入解密密钥。然后,从配置文件中读取数据库密码,并对其进行解密,并将其存储在内存中以备将来使用。仍然不是100%安全,因为它被存储在内存解密中,但是你必须在某个时刻调用它“足够安全”!

#6


12  

This solution is general, in that it is useful for both open and closed source applications.

这个解决方案是通用的,因为它对开放源码和封闭源码应用程序都很有用。

  1. Create an OS user for your application. See http://en.wikipedia.org/wiki/Principle_of_least_privilege
  2. 为您的应用程序创建一个OS用户。参见http://en.wikipedia.org/wiki/Principle_of_least_privilege
  3. Create a (non-session) OS environment variable for that user, with the password
  4. 使用密码为该用户创建(非会话)OS环境变量
  5. Run the application as that user
  6. 以该用户的身份运行应用程序

Advantages:

优点:

  1. You won't check your passwords into source control by accident, because you can't
  2. 您不会偶然地将您的密码检查到源代码控制中,因为您不能这样做
  3. You won't accidentally screw up file permissions. Well, you might, but it won't affect this.
  4. 您不会意外地搞砸文件权限。你可能会,但不会影响到这个。
  5. Can only be read by root or that user. Root can read all your files and encryption keys anyways.
  6. 只能由根用户或该用户读取。Root用户可以读取所有的文件和加密密钥。
  7. If you use encryption, how are you storing the key securely?
  8. 如果您使用加密,您如何安全地存储密钥?
  9. Works x-platform
  10. 作品x-platform
  11. Be sure to not pass the envvar to untrusted child processes
  12. 确保不要将envvar传递给不受信任的子进程。

This method is suggested by Heroku, who are very successful.

这个方法是Heroku提出的,他非常成功。

#7


10  

if it is possible to create the database connection in the same file where the credentials are stored. Inline the credentials in the connect statement.

如果可以在存储凭证的同一个文件中创建数据库连接。在connect语句中内联凭据。

mysql_connect("localhost", "me", "mypass");

Otherwise it is best to unset the credentials after the connect statement, because credentials that are not in memory, can't be read from memory ;)

否则,最好在connect语句之后取消对凭据的设置,因为不在内存中的凭据不能从内存中读取;

include("/outside-webroot/db_settings.php");  
mysql_connect("localhost", $db_user, $db_pass);  
unset ($db_user, $db_pass);  

#8


7  

Your choices are kind of limited as as you say you need the password to access the database. One general approach is to store the username and password in a seperate configuration file rather than the main script. Then be sure to store that outside the main web tree. That was if there is a web configuration problem that leaves your php files being simply displayed as text rather than being executed you haven't exposed the password.

您的选择有点有限,正如您所说的,您需要密码来访问数据库。一种通用的方法是将用户名和密码存储在独立的配置文件中,而不是主脚本中。然后确保将其存储在主web树之外。如果存在web配置问题,使php文件仅仅显示为文本而不是执行,那么您就没有公开密码。

Other than that you are on the right lines with minimal access for the account being used. Add to that

除此之外,您在正确的行上,对所使用的帐户的访问是最少的。再加上

  • Don't use the combination of username/password for anything else
  • 不要使用用户名/密码的组合
  • Configure the database server to only accept connections from the web host for that user (localhost is even better if the DB is on the same machine) That way even if the credentials are exposed they are no use to anyone unless they have other access to the machine.
  • 将数据库服务器配置为仅接受来自该用户的web主机的连接(如果DB在同一台机器上,那么localhost会更好),即使证书被公开,也不会对任何人有用,除非他们有对该机器的其他访问权限。
  • Obfuscate the password (even ROT13 will do) it won't put up much defense if some does get access to the file, but at least it will prevent casual viewing of it.
  • 模糊密码(即使是ROT13也可以),如果有些人确实能够访问该文件,它就不会进行太多的防御,但至少它会阻止对它的随意查看。

Peter

彼得

#9


5  

Put the database password in a file, make it read-only to the user serving the files.

将数据库密码放入文件中,使其对服务于文件的用户是只读的。

Unless you have some means of only allowing the php server process to access the database, this is pretty much all you can do.

除非您有一些方法只允许php服务器进程访问数据库,否则这几乎是您所能做的。

#10


5  

If you are using PostgreSQL, then it looks in ~/.pgpass for passwords automatically. See the manual for more information.

如果您正在使用PostgreSQL,那么它将在~/中查找。为密码自动pgpass。有关更多信息,请参阅手册。

#11


4  

I think the OP means the database password.

我认为OP意味着数据库密码。

Unless someone gains access to your server via FTP or SSH (in which case you're already buggered), I wouldn't worry about storing passwords in plaintext in PHP files. Most PHP applications I've seen do it that way, for example phpbb.

除非有人能够通过FTP或SSH访问您的服务器(在这种情况下,您已经陷入混乱),否则我不会担心在PHP文件中以明文方式存储密码。我见过的大多数PHP应用程序都是这样做的,例如phpbb。

#12


4  

If you're talking about the database password, as opposed to the password coming from a browser, the standard practice seems to be to put the database password in a PHP config file on the server.

如果您谈论的是数据库密码,而不是来自浏览器的密码,那么标准的做法似乎是将数据库密码放在服务器上的PHP配置文件中。

You just need to be sure that the php file containing the password has appropriate permissions on it. I.e. it should be readable only by the web server and by your user account.

您只需要确保包含密码的php文件具有相应的权限。也就是说,它只能由web服务器和用户帐户来读取。

#13


3  

An additional trick is to use a PHP separate configuration file that looks like that :

另外一个技巧是使用一个PHP单独的配置文件,它看起来是这样的:

<?php exit() ?>

[...]

Plain text data including password

This does not prevent you from setting access rules properly. But in the case your web site is hacked, a "require" or an "include" will just exit the script at the first line so it's even harder to get the data.

这并不妨碍您正确地设置访问规则。但是,如果你的网站被黑了,一个“要求”或“包含”会在第一行退出脚本,因此获取数据会更加困难。

Nevertheless, do not ever let configuration files in a directory that can be accessed through the web. You should have a "Web" folder containing your controler code, css, pictures and js. That's all. Anything else goes in offline folders.

不过,不要让配置文件在目录中可以通过web访问。您应该有一个“Web”文件夹,其中包含您的控件代码、css、图片和js。这是所有。任何东西都可以放到脱机文件夹中。

#14


3  

Best way is to not store the password at all!
For instance, if you're on a Windows system, and connecting to SQL Server, you can use Integrated Authentication to connect to the database without a password, using the current process's identity.

最好的方法是根本不存储密码!例如,如果您在一个Windows系统上,并连接到SQL Server,您可以使用集成身份验证,使用当前进程的标识,不带密码地连接到数据库。

If you do need to connect with a password, first encrypt it, using strong encryption (e.g. using AES-256, and then protect the encryption key, or using asymmetric encryption and have the OS protect the cert), and then store it in a configuration file (outside of the web directory) with strong ACLs.

如果你需要联系一个密码,第一次加密,使用强大的加密(如使用aes - 256,然后保护加密密钥,或使用非对称加密和操作系统保护cert),然后将其存储在一个配置文件(web目录之外),并有很强的acl。

#15


3  

Just putting it into a config file somewhere is the way it's usually done. Just make sure you:

只是把它放到某个配置文件中就可以了。只要确保你:

  1. disallow database access from any servers outside your network,
  2. 禁止从网络之外的任何服务器访问数据库,
  3. take care not to accidentally show the password to users (in an error message, or through PHP files accidentally being served as HTML, etcetera.)
  4. 注意不要意外地向用户显示密码(在错误消息中,或者通过PHP文件意外地被用作HTML等)。

#16


3  

We have solved it in this way:

我们已经这样解决了:

  1. Use memcache on server, with open connection from other password server.
  2. 在服务器上使用memcache,与其他密码服务器打开连接。
  3. Save to memcache the password (or even all the password.php file encrypted) plus the decrypt key.
  4. 保存到memcache密码(甚至所有密码)。php文件加密)加上解密密钥。
  5. The web site, calls the memcache key holding the password file passphrase and decrypt in memory all the passwords.
  6. 这个网站,调用memcache密钥保存密码文件密码,并在内存中解密所有的密码。
  7. The password server send a new encrypted password file every 5 minutes.
  8. 密码服务器每5分钟发送一次新的加密密码文件。
  9. If you using encrypted password.php on your project, you put an audit, that check if this file was touched externally - or viewed. When this happens, you automatically can clean the memory, as well as close the server for access.
  10. 如果您使用加密的密码。在项目的php上,您放置一个审计,检查这个文件是否被外部触摸或查看。当发生这种情况时,您可以自动清理内存,并关闭服务器进行访问。

#17


3  

Previously we stored DB user/pass in a configuration file, but have since hit paranoid mode -- adopting a policy of Defence in Depth.

以前,我们将DB用户/pass存储在一个配置文件中,但是现在已经使用了paranoid模式——采用了一种深度防御策略。

If your application is compromised, the user will have read access to your configuration file and so there is potential for a cracker to read this information. Configuration files can also get caught up in version control, or copied around servers.

如果您的应用程序受到损害,用户将具有对配置文件的读访问权,因此有可能由cracker读取这些信息。配置文件也可以在版本控制中被捕获,或者在服务器周围被复制。

We have switched to storing user/pass in environment variables set in the Apache VirtualHost. This configuration is only readable by root -- hopefully your Apache user is not running as root.

我们已经切换到存储Apache VirtualHost中设置的用户/传递环境变量。此配置仅可由root用户读取——希望您的Apache用户不是作为root用户运行的。

The con with this is that now the password is in a Global PHP variable.

这样做的缺点是,现在密码在全局PHP变量中。

To mitigate this risk we have the following precautions:

为了减轻这种风险,我们有以下预防措施:

  • The password is encrypted. We extend the PDO class to include logic for decrypting the password. If someone reads the code where we establish a connection, it won't be obvious that the connection is being established with an encrypted password and not the password itself.
  • 密码是加密的。我们扩展了PDO类,以包含解密密码的逻辑。如果有人读取我们建立连接的代码,那么很明显,连接是用加密的密码建立的,而不是密码本身。
  • The encrypted password is moved from the global variables into a private variable The application does this immediately to reduce the window that the value is available in the global space.
  • 加密的密码从全局变量转移到一个私有变量,应用程序立即这样做,以减少该值在全局空间中可用的窗口。
  • phpinfo() is disabled. PHPInfo is an easy target to get an overview of everything, including environment variables.
  • phpinfo()是禁用的。PHPInfo是获取所有内容(包括环境变量)的一个简单目标。