把我的 PHP 文件放在哪里
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27740306/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Where to put my PHP files
提问by Bunkai.Satori
I have finished my PHP project development. It was developed locally on my PC. Now I am ready to upload it on my web server and make it publicly accessible.
我已经完成了我的 PHP 项目开发。它是在我的 PC 上本地开发的。现在我已准备好将其上传到我的 Web 服务器上并使其可公开访问。
There is however one thing that bothers me: Currently, all the PHP files are in my WWW folder with all the HTML, JavaScript, CSS, and Images files. PHP files are sensitive, as they access MySQL Database and often contains password and file paths that are meant to remain secret from the users.
然而,有一件事情困扰着我:目前,所有 PHP 文件都在我的 WWW 文件夹中,其中包含所有 HTML、JavaScript、CSS 和图像文件。PHP 文件是敏感的,因为它们访问 MySQL 数据库并且通常包含旨在对用户保密的密码和文件路径。
If I leave the PHP files within the WWW directory, am I afraid, they can become accessible to public in the same way, as the other files and images are. I am afraid that skilled users can download and read them, and therefore reveal are the secret information about my web server.
如果我将 PHP 文件保留在 WWW 目录中,恐怕它们可以像其他文件和图像一样以相同的方式可供公众访问。恐怕有经验的用户可以下载阅读它们,从而泄露有关我的Web服务器的秘密信息。
Are my worries legit? Does the web server automatically hides .php files? Should I move the PHP files into another location, away from WWW folder? Is there any other way to protect my PHP files from being downloaded?
我的担心合理吗?Web 服务器是否会自动隐藏 .php 文件?我应该将 PHP 文件移动到另一个位置,远离 WWW 文件夹吗?有没有其他方法可以保护我的 PHP 文件不被下载?
I am using:
我在用:
- Apache 2.4.7
- PHP 5.5.8
- MySQL 5.6.15
- 阿帕奇 2.4.7
- PHP 5.5.8
- MySQL 5.6.15
回答by GolezTrol
It's pretty safe.If you have PHP installed, your webserver will always try to run the PHP file rather than showing its code, and even if the code fails, you will get an error message or a blank page rather than the code.
这是相当安全的。如果您安装了 PHP,您的网络服务器将始终尝试运行 PHP 文件而不是显示其代码,即使代码失败,您也会收到错误消息或空白页面而不是代码。
Apart from that, you can use .htaccessor other kinds of server configuration to disable viewing of those files.
除此之外,您可以使用.htaccess或其他类型的服务器配置来禁用查看这些文件。
But..It must be said though, that if any of these settings are not configured correctly, the webserver may indeed serve the PHP files as plain text files!
但是..必须要说的是,如果这些设置中的任何一个没有正确配置,网络服务器确实可能将 PHP 文件作为纯文本文件提供!
So I think it is a good idea to move all php files out of the www folder if they should not be accessed directly. Quite often you'll find only one index.php which handles all requests and includes other php files. PHP files that are not in www (the document root), can still be included, so it's a good safety measure to put these files in a separate folder. That way, you reduce the risk of exposing those files when you make a tiny little configuration error.
因此,我认为如果不应直接访问所有 php 文件,将所有 php 文件移出 www 文件夹是个好主意。很多时候你会发现只有一个 index.php 处理所有请求并包含其他 php 文件。不在 www(文档根目录)中的 PHP 文件仍然可以包含在内,因此将这些文件放在单独的文件夹中是一个很好的安全措施。这样,当您犯下一个小小的配置错误时,您就可以降低暴露这些文件的风险。
After all, even when it worked before, it's very easy to break it. Maybe you want to tweak your configuration a little, or you are on a shared host where the hosting provider might make changes without you knowing, so it's just a wise thing to do.
毕竟,即使它以前有效,也很容易破坏它。也许您想稍微调整一下您的配置,或者您在共享主机上,托管服务提供商可能会在您不知情的情况下进行更改,因此这是明智之举。
So..It is a good idea to move files out of the www folder. It's usually very easy to do this (although it depends on your application structure), so it's just an extra safety measure that usually won't cost you a dime. And if it's hard (due to your current application structure) to completely move all files out of the document root, make sure that at least configuration files with passwords are outside of the www folder, followed by database access files that might expose any security issues you might have in your implementation.
所以..将文件移出 www 文件夹是个好主意。这样做通常很容易(尽管这取决于您的应用程序结构),因此这只是一种额外的安全措施,通常不会花费您一分钱。如果很难(由于您当前的应用程序结构)将所有文件完全移出文档根目录,请确保至少带有密码的配置文件位于 www 文件夹之外,然后是可能暴露任何安全问题的数据库访问文件你可能在你的实现中。
回答by tomloprod
Don't worry; files PHPare interpreted by the web server and the code is not accessible directlyfrom a web browser. In the file httpd.confof apache you can check that the extension phpis "protected".
别担心;文件PHP由网络服务器解释,代码不能直接从网络浏览器访问。在httpd.confapache文件中,您可以检查扩展名php是否为“受保护”。
AddType application/x-httpd-php .php
If you are interested in give a littleplus of security to your application, you can change the extensionof your PHP files, and your webserver config (the line above). It is called Security through obscurity.
如果您有兴趣为您的应用程序增加一点安全性,您可以更改PHP 文件的扩展名和网络服务器配置(上面的行)。它被称为Security through obscurity。
