PHP anti-injection is one of the technologies that our programmers must understand and hold, let me introduce some security practices for sensitive information in our programs.
The simple point is that you do not want to let others know the information, such as the database address, user name, password and so on, this kind of information often know less people the better.
Typically, the configuration files in the PHP program are roughly as follows:
The code is as follows |
Copy Code |
Return Array ( ' Database ' = Array ( ' Host ' = ' 192.168.0.1 ', ' User ' = ' Administrator ', ' Password ' = ' e1bfd762321e409cee4ac0b6e841963c ', ), );
?> |
Sometimes for some reason, such as code review, or cooperative development, and so on, the third party needs to obtain the code version of the repository Read permission, once authorized, the database address, user name, password and other sensitive information is exposed. Of course, you can not save the configuration file in the code repository, instead of writing a document to explain, but I do not like this method, because the code itself is not complete.
How to solve this kind of problem? The most straightforward approach is to take the sensitive information out of the code and save it in a different place. Where do you save the details? There are many options, such as setting through Nginx's Fastcgi_param:
The code is as follows |
Copy Code |
Fastcgi_param database_host 192.168.0.1; Fastcgi_param database_user Administrator; Fastcgi_param Database_password e1bfd762321e409cee4ac0b6e841963c; |
After such a mapping, our code does not directly contain sensitive information:
The code is as follows |
Copy Code |
Return Array ( ' Database ' = Array ( ' Host ' = $_server[' database_host '], ' User ' = $_server[' Database_username ', ' Password ' = ' $_server[' Database_password '], ), );
?> |
In addition, the PHP-FPM env command can also be used to set:
The code is as follows |
Copy Code |
Env[database_host] = 192.168.0.1 Env[database_username] = Administrator Env[database_password] = e1bfd762321e409cee4ac0b6e841963c |
One point to note is that this setting must be placed in the main configuration file php-fpm.conf, can not be placed in the include directive settings sub-configuration file, otherwise it will be error: "array is not allowed in the global section", another point, though it was set by ENV, was still in $_server, not $_env.
Note: @Laruence reminds me that if the configuration information is set by Nginx Fastcgi_param, when Nginx interacts with PHP, it will bring a lot of data transfer (so it seems to set the relative advantage by PHP-FPM env), Brother Bird suggests using an independent extension, such as "hidef".
With Nginx and PHP-FPM configuration files to solve the problem, there is a disadvantage, only valid for the Web, if run through the command line, then can not get the relevant information in $_server, but it is not very difficult, Just write a common script to match the Nginx or php-fpm configuration file, you can dynamically map this information to the command-line environment, specifically how to leave it to everyone to operate it.
The code is clean, the rest of the work is how to ensure that Nginx or PHP-FPM configuration file security, but compared with the code, Nginx or PHP-FPM configuration file does not require a lot of people have permissions, so relatively easier to manage
There is also an important function phpinfo () This everyone must pay attention to, if you can display the Phpinfo function normally we can
Details
Phpinfo provides some of the following information:
*php version (exact version information, including build version)
* System version information (exact version information including build version)
* Extended directory (PHP directory)
*SMTP Server information
*sendmail path (if SendMail installed)
*posix Version Information
* Database
*ODBC settings (including path, database name, default password, etc.)
*mysql version information for the client, including the exact version information in the build version
*oracle version information and the path to the library
* The actual path of your location
*web Server
*iis Version Information
*apache Version Information
* If running under Win32:
* Computer Name
Location of the *windows directory
* Path (can be used to leak installed software information)
Example:
Access a URL similar to the following:
http://www.example.com/PHP/phpinfo.php
http://www.bkjia.com/PHPjc/629613.html www.bkjia.com true http://www.bkjia.com/PHPjc/629613.html techarticle PHP anti-injection is one of the technologies that our programmers must understand and hold, let me introduce some security practices for sensitive information in our programs. ...