w3pop.com :: ÍøÂçѧԺ :: PHP :: PHP °²È«¼¼ÇÉÁ¬ÔØ #9[Òë]
- PHP
- php ÎÞÏÞ·ÖÀàµÄʵ..
- ³£ÓÃPHP´úÂë
- windowsÏ°²×°ÅäÖ..
- MySQLÊý¾Ý¿â½á¹¹º..
- PHPʵÏÖ IP Whois..
- PHP5 this,selfºÍ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP error_report..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- ʹÓÃPHP×öLinux/U..
PHP °²È«¼¼ÇÉÁ¬ÔØ #9[Òë]
×÷Õß:Cal Evans ·Òë/ÕûÀí:w3pop.com ·¢²¼:2007-07-26 ä¯ÀÀ:2552 ::
::
ÔÎijö´¦£ºhttp://devzone.zend.com/article/1807-PHP-Security-Tip-9
·Ò룺linyupark@w3pop.com
Sometimes it’s the simplest ideas that are the most powerful. This one sounds simple but I’m always surprised at how few people understand and actually implement this idea.
ÓÐЩʱºò¿´ËÆ×îΪ¼òµ¥µÄÏë·¨Æäʵȴ·Ç³£ÓÐÁ¦(ÓÐЧ)¡£ÕâÌýÉÏÈ¥¼òµ¥£¬µ«Ö»ÓÐÄÇôÉÙÊýÈËÁ˽Ⲣʵ¼ÊÓ¦ÂÄÐÐÁËÕâЩÏë·¨(µÄÏÖ×´)¶àÉÙÈÃÎÒÓе㾪ÑÈ¡£
Keep sensitive data and code out of your web tree
½«Ãô¸ÐµÄÊý¾Ý»òÊÇ´úÂëÍÑÀëÄãµÄWEBÊ÷
Consider this directory structure.
˼¿¼Õâ¸öĿ¼½á¹¹
/htdocs
/includes
/images
/js
If you store your database credentials in a file named db.inc and place it in the /includes directory, it is possible for someone to download your the information in that file by going to http://example.com/includes/db.inc. Since most web servers aren’t given explicit instructions on how to deal with .inc files, they are treated as text if requested directly. The ramifications of this are obvious. If you store your database credentials in a file with an extension other than .php and inside your web server’s document root, there’s a good chance that you are leaking information.
Èç¹ûÄ㽫ÄãµÄÊý¾Ý¿âƾ֤ÎļþÃüÃûΪ db.inc ²¢½«Æä·ÅÖÃÓÚ /include Îļþ¼Ð¡£Õâ¾ÍÓпÉÄÜÈÃһЩÈ˽«ÄãµÄÐÅÏ¢ÒÔ http://example.com/includes/db.inc ÕâÑùµÄ·½Ê½ÏÂÔØ×ß¡£ÒòΪ´ó¶àÊýWEB·þÎñÆ÷²¢²»ÄܶÔÀàËÆ.incÎļþ¸øÓèÃ÷È·µÄÖ¸Áµ±ÇëÇóʱËüÃÇ»áÒÔÎı¾ÎļþµÄ·½Ê½½øÐд¦Àí¡£ÒÔ´ËÕ¹¿ªµÄÑÓÉìÎïÒ²Ò»Ñù¡£Èç¹ûÄ㽫ÄãµÄÊý¾Ý¿âƾ֤±£´æÔÚ²»ÒÔ .php À©Õ¹µÄÎļþÉÏ£¬²¢´æ·ÅÔÚÄãWEB·þÎñÆ÷µÄÎĵµ¸ùĿ¼ÉÏ£¬ÄÇô¶ÔÓÚºÚ¿ÍÀ´Ëµ¾ÍÊǸöºÃ»ú»áÁË£¬ÒòΪÄãÒѾй¶ÁËÐÅÏ¢¡£
The solution is simple. Place all sensitive data outside of your web server’s document root. Many experts now advocate placing most, if not all, of your php code outside of your web server’s document root. Since PHP is not limited by the same restrictions are you web server, you can make a directory on the same level as your document root and place all of your sensitive data and code there.
½â¾ö·½·¨ºÜ¼òµ¥¡£½«ËùÓÐÃô¸ÐÊý¾ÝÌá³öÄãµÄWEB·þÎñÆ÷Îĵµ¸ùĿ¼¡£Ðí¶àר¼ÒÏÖÔÚ³«µ¼°Ñ´ó²¿·ÖÃô¸ÐÊý¾Ý·Å³öÈ¥£¬Èç¹û²»ÊÇÈ«²¿µÄ»°£¬ÄãµÄphp´úÂë·Åµ½ÄãµÄweb·þÎñÆ÷¸ùĿ¼Íâ¡£ÒòΪPHPûÓÐÏñWEB·þÎñÆ÷ÄÇÑùÓÐÒ»ÑùµÄÏÞÖÆ£¬Äã¿ÉÒÔ½¨Á¢Ò»¸öºÍÄã¸ùĿ¼ͬ²ãµÄÎļþ¼Ð²¢½«ÄãËùÓеÄÃô¸ÐÊý¾ÝºÍ´úÂë·ÅÔÚÄÇÀï
/phpinc
/includes
/htdocs
/images
/js
ÆÀÂÛ (0)
All
