What is sensitive information? To put it simply, you don't want others to know the information, such as the database address, user name, and password. The fewer people you know, the better. Generally, the configuration files in the PHP program are roughly as follows :? Phpreturn array ('database' = array ('host' = '192. 168.0.1 ', 'username' = 'ad
What is sensitive information? To put it simply, you don't want others to know the information, such as the database address, user name, and password. The fewer people you know, the better.
Generally, the configuration files in the PHP program are roughly as follows:
array( 'host' => '192.168.0.1', 'username' => 'administrator', 'password' => 'e1bfd762321e409cee4ac0b6e841963c', ),);?>
Sometimes for some reason, such as code review, or cooperative development, a third party needs to obtain the read permission of the code version repository. Once authorized, the database address, user name, sensitive information such as passwords is exposed. Of course, you can also not save the configuration file in the code version repository, but instead write a document to describe it, but I do not like this method, because the Code itself is incomplete.
How can this problem be solved? The most direct method is to remove sensitive information from the code and save it elsewhere. Where can I save it? There are many options, such as setting through fastcgi_param of nginx:
fastcgi_param DATABASE_HOST 192.168.0.1;fastcgi_param DATABASE_USERNAME administrator;fastcgi_param DATABASE_PASSWORD e1bfd762321e409cee4ac0b6e841963c;
After such a ing, our code will not directly contain sensitive information:
array( 'host' => $_SERVER['DATABASE_HOST'], 'user' => $_SERVER['DATABASE_USERNAME'], 'password' => $_SERVER['DATABASE_PASSWORD'], ),);?>
In addition, you can use the env command of php-fpm to set:
env[DATABASE_HOST] = 192.168.0.1env[DATABASE_USERNAME] = administratorenv[DATABASE_PASSWORD] = e1bfd762321e409cee4ac0b6e841963c
One thing to note is that this setting must be placed in the php-fpm.conf of the main configuration file, not in the sub-configuration file of the include instruction setting, otherwise an error will be reported: "Array are not allowed in the global section". in addition, although set through env, the result is still in $ _ SERVER, rather than $ _ ENV.
...
The nginx and php-fpm configuration files are used to solve the problem. They are only valid for the Web. If you run them through the command line, you cannot obtain relevant information in $ _ SERVER, however, this is not difficult. You only need to write a common script to match the nginx or php-fpm configuration file, and then you can dynamically map the information to the command line environment, let's leave it to everyone.
...
Note :? @ Laruence? Remind me that if the configuration information is set through fastcgi_param of nginx, when nginx interacts with php, it will bring about a large amount of data transmission (it seems that it is more advantageous to use the php-fpm env). laruence recommends using independent extensions, such as "hidef 」. If you use hidef, note that the hidef-defined constants can be viewed at a glance through the phpinfo function. To ensure security, you should go to the configuration file php. disable related functions in ini: "disable_functions = phpinfo 」.
...
It seems that hidef availability is better. The specific choice depends on the objective situation. If you can install extensions, hidef is recommended. Otherwise, env is recommended.
Original article address: Pay attention to the sensitive information in the PHP program. Thank you for sharing it with the original author.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
