开发者

keep the username and password of my sql unreadable by admin

I hav开发者_StackOverflow社区e a file setup.php.

This file has the mysql username and password. Is there any method to make it unreadable or encrypt it so that even the admin can not read it, or can read it but still not know the password?


The short answer is that for practical purposes you can make it harder for them to access it but not impossible.

If someone has full access to a server filesystem (eg, with root permissions) then they can read any data off that filesystem, so they can read the code and any data files that you place on there. As the application running on that host needs to be able to use the credentials there's no effective way to prevent someone with full access to that server from reading them.

You could obfuscate them, to make it a bit harder. if you encrypt the credentials in the setup.php file and then placed a decryption algorithm and key in another php file, it would stop someone just opening the file and getting the creds, but it they could always reverse engineer that solution if they're determined enough.

Additionally if they've got full control of the server it would be possible to use a packet sniffing tool to get the credentials as they're used (unless you're encrypting them with something like SSL).

Ultimately if someone is running an application and controls the server you have to place a level of trust in them.

As an aside there's a stackexchange site at security.stackexchange.com that's a good place for questions like this.


Create a new user in MySQL and give some basic permissions for that user. Then you will have two users, your admin account and the user account with limit privileges.

You also can deny view a folder where your setup.php is located doing the same trick, create other user in your OS to limit restrictions to that folder

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜