使用 PHP 安全连接到 MySQL 的最佳方式
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3710511/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Best way to connect to MySQL with PHP securely
提问by Tim
I want some input on what you guys think is the most secure way to connect to a MySQL database using PHP. Currently the way I'm doing it is a utility PHP file that I include in the top of all my other PHP files. The utility PHP file is this:
我想要一些关于你们认为使用 PHP 连接到 MySQL 数据库的最安全方法的输入。目前,我的做法是将实用程序 PHP 文件包含在所有其他 PHP 文件的顶部。实用程序 PHP 文件是这样的:
<?php
if(!defined('IN_PHP')){
die("hackerssss");
}
$mysql_host = "localhost";
$mysql_user = "root";
$mysql_pass = "root";
$mysql_db = cokertrading;
?>
Any suggestions?
有什么建议?
回答by Alex
Suggestion: You should probably never be running as root; create another account and give it the 'least' privileges required for your site.
建议:您可能永远不应该以 root 身份运行;创建另一个帐户并为其授予站点所需的“最低”权限。
回答by Kristoffer Sall-Storgaard
I can believe noone has mentioned MYSQLIand prepared statementsyet, you may lock your password and database connection away, but thats ultimately futile if I can simply type ';DROP TABLE users;--in the login form.
我相信没有人提到过MYSQLI和准备好的语句,您可以锁定密码和数据库连接,但如果我可以简单地输入';DROP TABLE users;--登录表单,那最终是徒劳的。
Check http://en.wikipedia.org/wiki/SQL_injectionfor an idea about what I'm talking about.
检查http://en.wikipedia.org/wiki/SQL_injection以了解我在说什么。
回答by Pekka
Define a pair of proper login credentials instead of "root/root" (change the user name to something else, and choose a complicated password);
if possible restrict access to the database to localhost on a firewall level or, as @Scott says in the comments, set mySQL to listen to connections from 127.0.0.1 only. If both is not possible, restrict access on mySQL level. (
"username"@"localhost")
定义一对正确的登录凭据,而不是“root/root”(将用户名更改为其他名称,并选择一个复杂的密码);
如果可能,在防火墙级别将数据库访问限制为 localhost,或者,正如@Scott 在评论中所说,将 mySQL 设置为仅侦听来自 127.0.0.1 的连接。如果两者都不可能,请限制 mySQL 级别的访问。(
"username"@"localhost")
回答by Thomas Clayson
Because PHP scripts are server side - i.e. they are parsed on the server and onlythe output is sent to the browser - the way you are doing this is perfectly secure.
因为 PHP 脚本是服务器端的——即它们在服务器上被解析并且只有输出被发送到浏览器——你这样做的方式是完全安全的。
The only way that people would be able to get your username and password would be to actually hack into your server and view the source code - in which case there's no way (in PHP) to protect against this.
人们能够获得您的用户名和密码的唯一方法是实际入侵您的服务器并查看源代码 - 在这种情况下(在 PHP 中)没有办法防止这种情况。
回答by o0'.
- Remember that anyone who can read that file will know your SQL password: set it not readable by others.
- Don't login with root: create a user for each application.
- Don't use "root" as your root password.
- Don't give your password to everyone.
- 请记住,任何可以读取该文件的人都会知道您的 SQL 密码:将其设置为其他人无法读取。
- 不要用 root 登录:为每个应用程序创建一个用户。
- 不要使用“root”作为您的 root 密码。
- 不要把你的密码告诉所有人。
