如何安全地在 PHP 代码中存储密码?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1432545/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to safely store a password inside PHP code?
提问by nunos
How can I have a password inside PHP code and guarantee that no one viewing the page in the browser can retrieve it?
如何在 PHP 代码中设置密码并保证没有人在浏览器中查看页面可以检索到它?
Is: <?php $password = 'password' ?>enough? Is there a better, more secure way of doing this?
方法是:<?php $password = 'password' ?>够了吗?有没有更好、更安全的方法来做到这一点?
回答by knittl
That depends on the typeof passwords you want to store.
这取决于您要存储的密码类型。
If you want to store passwords to compare against, e.g. having an
$usersarray, then hashing is the way to go.sha1,md5or any other flavor (here's an overview)Adding a saltaccounts for additional security, because the same password will not result in the same hashUpdate:
password_hashuses a salted, strong one-way hash with multiple rounds.If you want to store passwords to connect to other resources like a database: you're safest if you store your passwords outside your document root, i.e. not reachable by browsers. If that's not possible, you can use an
.htaccessfile to deny all requests from outside
如果你想存储密码进行比较,例如有一个
$users数组,那么散列是要走的路。sha1,md5或任何其他风格(这里是概述)添加盐帐户以增加安全性,因为相同的密码不会导致相同的哈希更新:
password_hash使用多轮加盐的强单向哈希。如果您想存储密码以连接到数据库等其他资源:如果您将密码存储在文档根目录之外,即浏览器无法访问,则最安全。如果这是不可能的,您可以使用
.htaccess文件拒绝来自外部的所有请求
回答by Adam Wright
Your PHP code will (baring configuration errors) be processed on the server. Nothing inside the <?php ?>;blocks will ever be visible on the browser. You should ensure that your deployment server will not show syntax errors to the client - i.e. the error reporting is set to something not including E_PARSE, lest a hasty edit of live code (admit it, we all do them :) leak some information.
您的 PHP 代码(排除配置错误)将在服务器上处理。<?php ?>;块内的任何内容都不会在浏览器上可见。您应该确保您的部署服务器不会向客户端显示语法错误 - 即错误报告设置为不包括 E_PARSE 的内容,以免草率编辑实时代码(承认,我们都这样做:) 泄漏一些信息。
Edit: The point about storing them in a file outside the document root to avoid exposure if your PHP configuration breaks is certainly valid. When I used PHP, I kept a config.inc file outside of htdocs that was required at runtime, and exported configuration specific variables (i.e. passwords).
编辑:如果您的 PHP 配置中断,将它们存储在文档根目录之外的文件中以避免暴露的要点肯定是有效的。当我使用 PHP 时,我在 htdocs 之外保留了一个 config.inc 文件,该文件require在运行时为d,并导出配置特定变量(即密码)。
回答by brianreavis
Let's say your password is "iamanuisance". Here's how to store the password in your code. Just slip this in your header somewhere.
假设您的密码是“ iamanuisance”。以下是在代码中存储密码的方法。只需将它放在您的标题中的某个地方。
//calculate the answer to the universe
${p()}=implode(null,array(chr(0150+floor(rand(define(chr(ord('i')+16),'m'),
2*define(chr(0x58),1)-0.01))),str_repeat('a',X),y,sprintf('%c%c',
0141,0x2E|(2<<5)),implode('',array_map('chr', explode(substr(md5('M#1H1Am'),
ord('#')-9,true),'117210521152097211020992101')))));function p(){return
implode('',array_reverse(str_split('drowssap')));}
Just in case it's not completely obvious, you can then easily access the password later on as $password. Cheers! :P
以防万一它不是很明显,您可以稍后轻松访问密码$password。干杯! :P
回答by Jake
There are noumerous ways of doing this. However, people will not be able to view the password you stored (as plain text) in a PHP file, since PHP is a server side language which means that, as long as you don't print it out to the browser, it will remain invisible.
有很多方法可以做到这一点。但是,人们将无法查看您在 PHP 文件中存储的密码(以纯文本形式),因为 PHP 是一种服务器端语言,这意味着,只要您不将其打印到浏览器,它就会保持隐形。
So it's 'safe'.
所以它是“安全的”。
回答by Heiko Hatzfeld
If you can retrieve the password within PHP, then it is retrievable...
如果您可以在 PHP 中检索密码,那么它是可检索的...
The only thing that you can do is to move you password to a "protected" location.
您唯一能做的就是将您的密码移动到“受保护”的位置。
Most hosting companies will offer a separate location where you can place your DB files etc, and this location will not be accessible via the browser. You should store passwords there.
大多数托管公司会提供一个单独的位置,您可以在其中放置数据库文件等,并且无法通过浏览器访问该位置。您应该将密码存储在那里。
But they are still on your server, and when someone gets access to your box, then he has your password. (He gets to your PHP that has the way to decode it, and he has access to the protected file -> he can read it)
但是它们仍然在您的服务器上,当有人访问您的盒子时,他就有了您的密码。(他可以访问您的 PHP,并且可以对其进行解码,并且他可以访问受保护的文件 -> 他可以读取它)
So there is no such thing as a "safe password"
所以没有“安全密码”这样的东西
The only option YOU have is to not STORE PASSWORDS for your users etc... I get mad if I subscribe to a service, and they offer to send me my password via email in case I forget it. They store it in a "retrievable way", and that's no something you should do.
您唯一的选择是不为您的用户等存储密码……如果我订阅了一项服务,我会很生气,他们会通过电子邮件向我发送密码,以防我忘记密码。他们以“可检索的方式”存储它,这不是你应该做的。
That's where all the hashing and salting comes in. You want to veryfy that someone can access a resource. So you hash + salt the password, and store that in the DB for the USER who want to access the service, and when the user wants to authenticate you apply the same algorithm to create the hash and compare those.
这就是所有散列和加盐的用武之地。您想确保有人可以访问资源。因此,您对密码进行散列 + 加盐,并将其存储在数据库中供想要访问该服务的用户使用,当用户想要进行身份验证时,您可以应用相同的算法来创建散列并进行比较。
回答by Martijn
Basic, probably not 100% watertight but enough for general purposes:
基本的,可能不是 100% 防水,但足以用于一般用途:
hash the password (use salt for added security) using your favorite algorithm, and store the hash (and the salt). Compare salted & hashed input with stored data to check a password.
使用您喜欢的算法散列密码(使用盐来增加安全性),并存储散列(和盐)。将加盐和散列输入与存储的数据进行比较以检查密码。
回答by Jeff Ober
Store the password encrypted. For example, take the output of:
存储加密的密码。例如,取以下输出:
sha1("secretpassword");
...and put it in your code. Even better, put it in your database or in a file outside of the web server's directory tree.
...并将其放入您的代码中。更好的是,将它放在您的数据库或 Web 服务器目录树之外的文件中。
回答by Cem Kalyoncu
PHP code blocks cannot be retrieved by clients unless they output something. Observe:
除非客户端输出某些内容,否则客户端无法检索 PHP 代码块。观察:
<?php
if($password=="abcd")
echo "OK";
else
echo "Wrong.";
?>
User can get either OK or Wrong nothing else.
用户可以得到 OK 或 Wrong 没有别的。
回答by MathGladiator
I generally do not trust raw PHP code for passwords for services. Write a simple PHP extension to release the password. This ensures that the working set is password free, and it makes it an extra step for a compromised machine to grant access to the hacker to the service.
我通常不信任原始 PHP 代码作为服务密码。编写一个简单的 PHP 扩展来释放密码。这确保了工作集没有密码,并且它使受感染的机器向黑客授予对服务的访问权限成为额外的步骤。
回答by macjohn
As suggested, store the password sha1, salted and peppered
按照建议,存储密码 sha1,加盐和胡椒
function hashedPassword($plainPassword) {
$salt = '1238765&';
$pepper = 'anythingelse';
return sha1($salt . sha1($plainPassword . $pepper));
}
and then compare the two values
然后比较两个值
if ($stored === hashedPassword('my password')) {
...
}
And if you can't store your hashed passwords outside of the server root, remember to instruct apache to forbid the access to that file, in your .htaccess file:
如果您无法将散列密码存储在服务器根目录之外,请记住在您的 .htaccess 文件中指示 apache 禁止访问该文件:
<Files passwords.config.ini>
Order Deny,Allow
Deny from all
</Files>
