数据库安全

数据库安全

SetEnv DB_USER "myuser"
SetEnv DB_PASS "mypass"
SetEnvis an Apache directive, and the format of this file instructs Apache to create environment variables for your database username and
password. Of course, the key to this technique is that only the rootuser can read the file. If you do not have access to the  rootuser, you can
restrict read privileges to yourself only, and this offers similar protection:
$ chmod 600 db.conf
$ ls db.conf
-rw------- 1 chris chris 48 May 21 12:34 db.conf
This effectively prevents a malicious script from accessing your database access credentials, so you can store sensitive data in the database
without a significant risk of it being compromised.
For this file to be useful to you, you need to be able to access this data from PHP. To do this, httpd.confneeds to include this file as follows:
Include "/path/to/db.conf"

 

You can access these variables in the $_SERVERsuperglobal array, so  db.inccan reference $_SERVERvariables instead of revealing the
database access credentials:
<?php
$db_user = $_SERVER['DB_USER'];
$db_pass = $_SERVER['DB_PASS'];
$db_host = 'localhost';
$db = mysql_connect($db_host, $db_user, $db_pass);
?>

If this file is exposed, the database access credentials are not revealed. This offers a significant increase in security on a shared host, and it is also a valuable Defense in Depth technique on a dedicated host.

Of course, you can use this technique to protect any information (not just your database access credentials), but I find it more convenient to
keep most data in the database, especially because this technique requires some cooperation from your hosting service provider.