PHP anti-injection, one of PHP security, is a technology that we programmers must understand and master. Now I will introduce to you some security practices for sensitive information in our programs.
To put it simply, it is information that you don’t want others to know, such as database address, user name, password, etc. The fewer people who know this kind of information, the better.
Usually, the configuration file in a PHP program looks roughly like this:
| The code is as follows | Copy code | ||||||||||||
'database' => array( 'host' => '192.168.0.1',
),
|
|||||||||||||
| 代码如下 | 复制代码 |
|
env[DATABASE_HOST] = 192.168.0.1 |
|
| The code is as follows | Copy code |
| fastcgi_param DATABASE_HOST 192.168.0.1; fastcgi_param DATABASE_USER administrator; fastcgi_param DATABASE_PASSWORD e1bfd762321e409cee4ac0b6e841963c; | |
| The code is as follows | Copy code |
| <🎜> return array( <🎜> 'database' => array( <🎜> 'password' => $_SERVER['DATABASE_PASSWORD'], <🎜> ), <🎜> ); <🎜> <🎜> ?> | |
| The code is as follows | Copy code |
| env[DATABASE_HOST] = 192.168.0.1 env[DATABASE_USERNAME] = administrator env[DATABASE_PASSWORD] = e1bfd762321e409cee4ac0b6e841963c | |
One thing that needs to be explained is that this setting must be placed in the main configuration file php-fpm.conf and cannot be placed in the sub-configuration file set by the include directive, otherwise an error will be reported: "Array are not allowed in the global section"; another point , although it is set through env, the result is still in $_SERVER, not $_ENV.
Note: @Laruence reminded me that if the configuration information is set through nginx's fastcgi_param, when nginx interacts with php, a large amount of data will be transferred (so it seems that it is relatively more efficient to set it through php-fpm's env (advantages), Brother Niao recommends using independent extensions, such as "hidef".
If you solve the problem through nginx and php-fpm configuration files, there is a disadvantage. It is only valid for the Web. If you run it through the command line, you cannot get the relevant information in $_SERVER, but this is not difficult. As long as you write a public script to match the configuration file of nginx or php-fpm, you can dynamically map this information to the command line environment. I will leave it to you to do it yourself.
The code is clean, and the remaining work is how to ensure the security of the nginx or php-fpm configuration file. However, compared with the code, the nginx or php-fpm configuration file does not require many people to have permissions, so it is relatively easier. Management
There is also an important function phpinfo() that everyone must pay attention to. If the phpinfo function can be displayed normally, we can
Details
PHPInfo provides the following information:
*PHP version (accurate version information including build version)
*System version information (accurate version information including build version)
*Extension directory (the directory where PHP is located)
*SMTP server information
*Sendmail path (if Sendmail is installed)
*Posix version information
*Database
*ODBC settings (including path, database name, default password, etc.)
*MySQL client version information (accurate version information including build version)
*Oracle version information and library path
*The actual path to the location
*Web Server
*IIS version information
*Apache version information
*If running under Win32:
*Computer name
*Location of Windows directory
*Path (can be used to leak installed software information)
Example:
Visit a URL similar to the following:
http://www.example.com/PHP/phpinfo.php
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
