原文出处：http://devzone.zend.com/article/1807-PHP-Security-Tip-9
翻译：[email protected]

Sometimes it’s the simplest ideas that are the most powerful. This one sounds simple but I’m always surprised at how few people understand and actually implement this idea.

有些时候看似最为简单的想法其实却非常有力(有效)。这听上去简单，但只有那么少数人了解并实际应履行了这些想法(的现状)多少让我有点惊讶。

Keep sensitive data and code out of your web tree
将敏感的数据或是代码脱离你的WEB树

Consider this directory structure.
思考这个目录结构

/htdocs
 /includes
 /images
 /js

If you store your database credentials in a file named db.inc and place it in the /includes directory, it is possible for someone to download your the information in that file by going to http://example.com/includes/db.inc. Since most web servers aren’t given explicit instructions on how to deal with .inc files, they are treated as text if requested directly. The ramifications of this are obvious. If you store your database credentials in a file with an extension other than .php and inside your web server’s document root, there’s a good chance that you are leaking information.

如果你将你的数据库凭证文件命名为 db.inc 并将其放置于 /include 文件夹。这就有可能让一些人将你的信息以 http://example.com/includes/db.inc 这样的方式下载走。因为大多数WEB服务器并不能对类似.inc文件给予明确的指令，当请求时它们会以文本文件的方式进行处理。以此展开的延伸物也一样。如果你将你的数据库凭证保存在不以 .php 扩展的文件上，并存放在你WEB服务器的文档根目录上，那么对于黑客来说就是个好机会了，因为你已经泄露了信息。

The solution is simple. Place all sensitive data outside of your web server’s document root. Many experts now advocate placing most, if not all, of your php code outside of your web server’s document root. Since PHP is not limited by the same restrictions are you web server, you can make a directory on the same level as your document root and place all of your sensitive data and code there.

解决方法很简单。将所有敏感数据提出你的WEB服务器文档根目录。许多专家现在倡导把大部分敏感数据放出去，如果不是全部的话，你的php代码放到你的web服务器根目录外。因为PHP没有像WEB服务器那样有一样的限制，你可以建立一个和你根目录同层的文件夹并将你所有的敏感数据和代码放在那里

/phpinc
 /includes
/htdocs
 /images
 /js

评论 (1) 1 All

登陆 | 还没注册？