Home > Backend Development > PHP Tutorial > Sensitive information in PHP anti-injection programs_PHP tutorial

Sensitive information in PHP anti-injection programs_PHP tutorial

WBOY
Release: 2016-07-13 17:11:12
Original
776 people have browsed it

PHP anti-injection, one of PHP security, is a technology that we programmers must understand and master. Now I will introduce to you some security practices for sensitive information in our programs.


To put it simply, it is information that you don’t want others to know, such as database address, user name, password, etc. The fewer people who know this kind of information, the better.

Usually, the configuration file in a PHP program looks roughly like this:

The code is as follows Copy code
 代码如下 复制代码


return array(
'database' => array(
        'host'     => '192.168.0.1',
        'user'     => 'administrator',
        'password' => 'e1bfd762321e409cee4ac0b6e841963c',
    ),
);
 
?>

return array(

'database' => array(

          'host'        => '192.168.0.1',
代码如下 复制代码

fastcgi_param DATABASE_HOST 192.168.0.1;
fastcgi_param DATABASE_USER administrator;
fastcgi_param DATABASE_PASSWORD e1bfd762321e409cee4ac0b6e841963c;

                                                                                                                                                                                  'password' => 'e1bfd762321e409cee4ac0b6e841963c',

),
);

 代码如下 复制代码


return array(
'database' => array(
        'host'     => $_SERVER['DATABASE_HOST'],
        'user'     => $_SERVER['DATABASE_USERNAME'],
        'password' => $_SERVER['DATABASE_PASSWORD'],
    ),
);
 
?>

?>

Sometimes for some reasons, such as code review, or cooperative development, etc., a third party needs to obtain read permissions from the code version warehouse. Once authorized, sensitive information such as the database address, username, and password will be exposed. . Of course, you can not save the configuration file in the code version repository, but write a document to explain it, but I don't like this method, because then the code itself is incomplete.
 代码如下 复制代码

env[DATABASE_HOST] = 192.168.0.1
env[DATABASE_USERNAME] = administrator
env[DATABASE_PASSWORD] = e1bfd762321e409cee4ac0b6e841963c

How to solve this kind of problem? The most direct way is to remove sensitive information from the code and save it somewhere else. Where exactly is it saved? There are many options, such as setting it through nginx’s fastcgi_param:
The code is as follows Copy code
fastcgi_param DATABASE_HOST 192.168.0.1; fastcgi_param DATABASE_USER administrator; fastcgi_param DATABASE_PASSWORD e1bfd762321e409cee4ac0b6e841963c;
After such mapping, our code will not directly contain sensitive information:
The code is as follows Copy code
<🎜> return array( <🎜> 'database' => array( <🎜>                                                                                                                                                                                                                                                                                                                                                                                                                                                            'password' => $_SERVER['DATABASE_PASSWORD'], <🎜> ), <🎜> ); <🎜> <🎜> ?>
In addition, you can also set it through the env command of php-fpm:
The code is as follows Copy code
env[DATABASE_HOST] = 192.168.0.1 env[DATABASE_USERNAME] = administrator env[DATABASE_PASSWORD] = e1bfd762321e409cee4ac0b6e841963c


One thing that needs to be explained is that this setting must be placed in the main configuration file php-fpm.conf and cannot be placed in the sub-configuration file set by the include directive, otherwise an error will be reported: "Array are not allowed in the global section"; another point , although it is set through env, the result is still in $_SERVER, not $_ENV.

Note: @Laruence reminded me that if the configuration information is set through nginx's fastcgi_param, when nginx interacts with php, a large amount of data will be transferred (so it seems that it is relatively more efficient to set it through php-fpm's env (advantages), Brother Niao recommends using independent extensions, such as "hidef".

If you solve the problem through nginx and php-fpm configuration files, there is a disadvantage. It is only valid for the Web. If you run it through the command line, you cannot get the relevant information in $_SERVER, but this is not difficult. As long as you write a public script to match the configuration file of nginx or php-fpm, you can dynamically map this information to the command line environment. I will leave it to you to do it yourself.

The code is clean, and the remaining work is how to ensure the security of the nginx or php-fpm configuration file. However, compared with the code, the nginx or php-fpm configuration file does not require many people to have permissions, so it is relatively easier. Management

There is also an important function phpinfo() that everyone must pay attention to. If the phpinfo function can be displayed normally, we can


Details
PHPInfo provides the following information:
*PHP version (accurate version information including build version)
*System version information (accurate version information including build version)
*Extension directory (the directory where PHP is located)
*SMTP server information
*Sendmail path (if Sendmail is installed)
*Posix version information
*Database
*ODBC settings (including path, database name, default password, etc.)
*MySQL client version information (accurate version information including build version)
*Oracle version information and library path
*The actual path to the location
*Web Server
*IIS version information
*Apache version information
*If running under Win32:
*Computer name
*Location of Windows directory
*Path (can be used to leak installed software information)

Example:
Visit a URL similar to the following:
http://www.example.com/PHP/phpinfo.php

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629613.htmlTechArticleOne of PHP security, PHP anti-injection, is a technology that our programmers must understand and master, as follows Let me introduce to you some security practices for sensitive information in our programs. ...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template