开发者

using htaccess to hide database passwords

问答 作者:

I have a php class that connects to a database which has the password to the database hard coded into it. I do NOT hav开发者_JAVA百科e have access to folders outside the webroot. Reading this forum and others it seemed that creating a htaccess file with

order allow,deny

deny from all

in the directory with my php classes would do the trick. however after doing some quick testing it seems this also blocks the public files which need access to the database to generate the site. to be clear this is the structure i want:

index.php (public file which calls on php classes that access the database) php_classes/DatabaseConnect.php (contains the password to the database. i want to hide this from everything that is not uploaded onto mysite --- or better yet only to specific files i name) ...

thanks, brook

Do not place your PHP code in the webroot. Frameworks will typically use this technique where they only put a bootstrap file in the webroot...you can do that same and place your PHP file with sensitve information above your web root so it cannot be browsed.

Your bootstrap file would #require_once '../safe_dir_above_webroot'.

If you're worried about others seeing the login details to your database, rest assure that it cannot be seen if inserted between PHP tags.

.htaccess is a little tricky with some servers. It seems quite a few setups hate overruling which I can understand.

Since you have suggested that you cannot access folders outside of the root directory, you may just want to do something like this.

define("include_allowed", true);

Call that in the leading file, for instance index.php. When a file is included it should check to see if include_allowed has been set true.

if (include_allowed != true) header('HTTP/1.1 404 Not Found');

This checks to see if it has been included by index.php or which ever file that has defined include_allowed true.

If it fails to return true, a 404 error is sent saying not found to trick users! :)

Since your file is PHP , it will processed by the PHP exe, before being rendered to the client. So the password should not be visible. Having said that to use htaccess to stop view a particular file you can do this

<Files php_classes/DatabaseConnect.php>
    Deny From All
</Files>

继续阅读:.htaccessdatabasephpprotection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9