问题描述

我刚接到一项任务，要处理一个老式开发的网页.

I just got a task to work on an old-styled-developed webpage.

也就是说，常用的变量/常量和数据库连接的变量都在查看php-engine中，而不是在一个单独的文件中.:-(

It means, the common used variables / constants and variables of database connection are in the viewing php-engine, not in a separated file. :-(

我想我会把它们放到一个 config.php 或 config.inc 文件中，然后和 require_once('/path/filename') 一起使用；在引擎中.

I thought I will put them into a config.php or config.inc file, and just using with require_once('/path/filename'); in the engine.

我的问题是，我对安全不熟悉，所以我想，我改变了权限(也许是 755?).

My problem is , that I am not familiar with the securing, so I thought, I change the privileges (maybe 755?).

还有什么我可以做的吗?

Is there anything else I could do?

推荐答案

将配置文件移到公共文件夹之外，使其无法通过 URL 访问.否则，您的网络服务器中的错误配置可能会发送未解析的文件(有人可能忘记告诉网络服务器 .inc 文件应该通过 php 运行.出于这个原因，我从不将它们命名为 .inc.总是 .php).这种情况很少见，但我在访问过的网站上至少发生过两次这种情况，而且他们的文件中也有凭据.

Move the config file outside the public folder so it cannot be accessed via URL. Otherwise, a misconfiguration in your webserver might send the file unparsed (someone might forget to tell the webserver that .inc files should be run through php. I never name them .inc for that reason. Always .php). It's rare but I had this happen at least two times on sites I visited and they had credentials in their files, too.

这篇关于隐藏/保护 php-engine 配置文件的最佳实践?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！