Secure storage of database credentials

2019-02-10 16:41发布

问题:

Had a major problem recently where my web hosting company messed up and all my php files were displayed in plain text. This was a major issue for me for obvious reasons. Mainly because mysql database details were exposed.

I am now trying to change the way in which my php files get the login information for the database so that this will never happen again even if the hosting company fail me.

my current set up looks like this :

     include 'info.php';

    class Login {

var $host;
var $username;
var $password;
var $db;
var $url;

Inside the info.php is the username, password and so on for the database. I want to make it so that the info.php file can never be viewed and only my .php files are able to access info.php in order to get the login infomation.

How can i set this up? This is a bit of a tricky one for me to explain so please dont be harsh and -1 me for a bad description.. just ask and i will clear up any gaps in my description.

回答1:

Simply place info.php outside your webroot. This way, you can include it, but should your web hosting f*#$ up, no one else can view that file, even as plain text.

You would then include it like this:

include('../info.php');

This way, even if someone finds out that you have a file called info.php that stores all your passwords, they cannot point their browser to that file.

The above would be the ideal and most watertight solution. However, if that is not possible due to permissions, the other option would be to place all sensitive files in a directory and block direct access to that directory using a .htaccess file.

In the directory you want to block off access to, place an .htaccess file with the following contents:

deny from all



回答2:

If for some reason xbonez's answer doesn't work (lets say one doesn't have access to a non document_root folder).. You can achieve the same thing by using .htaccess

<files info.php>
 order allow,deny
 deny from all
</files>

This, should in theory (non tested) protect the file from being used in the browser but not block php from including said file.



回答3:

Create form that redirect to file for the example "requests.php" and make switch on it for all you requests.If your data is right redirect to the specific page, if not do it same.On the end of the switch put anoter redirect.With this way user can't see that page.Don't put therer html or something - only logic.