What should you pay attention to about sensitive information in PHP programs?

return array(
 'database' => array(
 'host' => '192.168.0.1',
 'user' => 'administrator',
 'password ' => 'e1bfd762321e409cee4ac0b6e841963c',
 ),
);

?>

Sometimes for some reasons, such as code review, or cooperative development, etc., third parties It is necessary to obtain the read permission of the code version warehouse. Once authorized, sensitive information such as the database address, user name, password, etc. will be exposed. Of course, you can not save the configuration file in the code version repository, but write a document to explain it, but I don't like this method, because then the code itself is incomplete.

How to solve this kind of problem? The most direct way is to remove sensitive information from the code and save it somewhere else. Where exactly is it saved? There are many options, such as setting it through nginx’s fastcgi_param:

return array(
 'database' => array(
 'host' => $_SERVER['DATABASE_HOST'],
 'user' => $_SERVER[' DATABASE_USERNAME'],
 'password' => $_SERVER['DATABASE_PASSWORD'],
 ),
);

?>

In addition, you can also pass the env command of php-fpm To set:

env[DATABASE_HOST] = 192.168.0.1 env[DATABASE_USERNAME] = administrator env[DATABASE_PASSWORD] = e1bfd762321e409cee4ac0b6e841963c

One thing to note is that this setting must be placed in the main configuration file php-fpm.conf and cannot be placed in the sub-configuration file set by the include directive, otherwise an error will be reported: "Array are not allowed in the global section"; in addition One thing, although it is set through env, the result is still in $_SERVER, not $_ENV.

Note: @Laruence reminded me that if the configuration information is set through nginx's fastcgi_param, when nginx interacts with php, a large amount of data will be transferred (so it seems that setting it through php-fpm's env is relatively more advantageous) ), Brother Niao suggests using an independent extension, such as "hidef".

If you solve the problem through nginx and php-fpm configuration files, there is a disadvantage. It is only valid for the Web. If you run it through the command line, you cannot get the relevant information in $_SERVER. However, this is not difficult. Just write By matching the nginx or php-fpm configuration file with a public script, you can dynamically map this information to the command line environment. I’ll leave it to you to do it specifically.

The remaining work is how to ensure the security of nginx or php-fpm configuration files. However, compared with code, nginx or php-fpm configuration files do not require many people to have permissions, so they are relatively easier to manage.