Sensitive information in PHP anti-injection programs. One of php Security's PHP anti-injection is a technology that our programmers must understand and hold. next I will introduce some security practices for sensitive information in our programs. One of php Security's PHP anti-injection is a technology that our programmers must understand and hold. next I will introduce some security practices for sensitive information in our programs.
To put it simply, you don't want others to know the information, such as the database address, user name, and password. the fewer people you know, the better.
Generally, the configuration files in the PHP program are roughly as follows:
The code is as follows: |
|
Return array ( 'Database' => array ( 'Host' => '2017. 168.0.1 ', 'User' => 'admin ', 'Password' => 'e1bfd762321e409cee4ac0b6e841963c ', ), ); ?> |
Sometimes for some reason, such as code review, or cooperative development, a third party needs to obtain the read permission of the code version repository. once authorized, the database address, user name, sensitive information such as passwords is exposed. Of course, you can also not save the configuration file in the code version repository, but instead write a document to describe it, but I do not like this method, because the code itself is incomplete.
How can this problem be solved? The most direct method is to remove sensitive information from the code and save it elsewhere. Where can I save it? There are many options, such as setting through fastcgi_param of nginx:
The code is as follows: |
|
Fastcgi_param DATABASE_HOST 192.168.0.1; Fastcgi_param DATABASE_USER administrator; Fastcgi_param DATABASE_PASSWORD e1bfd762321e409cee4ac0b6e841963c; |
After such a ING, our code will not directly contain sensitive information:
The code is as follows: |
|
Return array ( 'Database' => array ( 'Host' => $ _ SERVER ['database _ host'], 'User' => $ _ SERVER ['database _ username'], 'Password' => $ _ SERVER ['database _ password'], ), ); ?> |
In addition, you can use the env command of php-fpm to set:
The code is as follows: |
|
Env [DATABASE_HOST] = 192.168.0.1 Env [DATABASE_USERNAME] = administrator Env [DATABASE_PASSWORD] = e1bfd762321e409cee4ac0b6e841963c |
One thing to note is that this setting must be placed in the php-fpm.conf of the main configuration file, not in the sub-configuration file of the include instruction setting, otherwise an error will be reported: "Array are not allowed in the global section". in addition, although set through env, the result is still in $ _ SERVER, rather than $ _ ENV.
Note: @ Laruence reminds me that if the configuration information is set through fastcgi_param of nginx, when nginx interacts with php, it will bring about a large amount of data transmission (it seems that it is more advantageous to use the php-fpm env). laruence recommends using independent extensions, such as "hidef 」.
The nginx and php-fpm configuration files are used to solve the problem. they are only valid for the Web. if you run them through the command line, you cannot obtain relevant information in $ _ SERVER, however, this is not difficult. you only need to write a common script to match the nginx or php-fpm configuration file, and then you can dynamically map the information to the command line environment, let's leave it to everyone.
The code is clean, and the rest of the work is to ensure the security of the nginx or php-fpm configuration file, but compared with the code, nginx or php-fpm configuration files do not require many people to have permissions, so they are relatively easier to manage
You must pay attention to another important function phpinfo (). If the phpinfo function can be normally displayed, we can
Details
PHPInfo provides the following information:
* PHP version (exact version information including build version)
* System version information (exact version information including build version)
* Extended Directory (PHP directory)
* SMTP server information
* Sendmail path (if Sendmail is installed)
* Posix version information
* Database
* ODBC settings (including the path, database name, default password, and so on)
* MySQL client version information (exact version information including build version)
* Oracle version information and database path
* Actual path of the location
* Web Server
* IIS version information
* Apache version information
* If you run in Win32:
* Computer Name
* Location of the Windows directory
* Path (used to leak installed software information)
Example:
Access a URL similar to the following:
Http://www.example.com/PHP/phpinfo.php
....