In the past I have stored database credentials (username, password) in another file (outside of the web directory) and included this in a PHP page to make connections with the database. Since I have started doing a lot of database interaction via AJAX, I have to change how I do this, since the AJAX script cannot include a script outside the web directory.
过去,我将数据库凭据(用户名、密码)存储在另一个文件(web目录之外)中,并将其包含在PHP页面中,以便与数据库进行连接。由于我已经开始通过AJAX进行大量的数据库交互,所以我必须改变我的方式,因为AJAX脚本不能包含web目录之外的脚本。
In order to deal with AJAX database connections, I need a good secure way to get the username and password data to the AJAX script. What is the best (secure and handy) way to do this? If i simply put my database credentials file in the web directory, what permissions to give it? Is this a good/bad idea?
为了处理AJAX数据库连接,我需要一种安全的方法来获得AJAX脚本的用户名和密码数据。做这件事最好的(安全的和方便的)方法是什么?如果我只是将数据库凭据文件放在web目录中,那么应该给它什么权限呢?这是个好/坏主意吗?
Thanks a lot!
谢谢!
** EDIT **
* *编辑* *
Apparently there is not problem including files outside of web root directory, I was mistaken. Thanks very much, this probably changes things for me... :-/
显然包含web根目录之外的文件没有问题,我错了。非常感谢,这可能会改变我……:- /
** EDIT 2 **
2 * * * *编辑
Indeed that changed everything for me, I was able to include the database config file which i was using in all the pages (which resided outside the web root), so this is great!
实际上,这改变了我的一切,我可以在所有页面(位于web根目录之外)中包含我正在使用的数据库配置文件,所以这很棒!
2 个解决方案
#1
1
if you are not opposed to changing things up a little bit, I think you should use your backend to interface with the database, and just use your ajax to hit those interfaces to the DB. that way you dont have to ever "Store db creds" client side
如果您不反对稍微更改一些内容,我认为您应该使用后端与数据库进行交互,并使用ajax将这些接口连接到DB。这样你就不必“存储db creds”客户端了
OR if you absolutely must save client side, you should figure out a way to reduce your access to a hashed / salted key that you save in a session cookie or something
或者,如果您绝对必须保存客户端,那么您应该找到一种方法来减少您对保存在会话cookie或其他东西中的散列/盐键的访问
#2
2
If you are using AJAX, you should just call a php-page for instance insert.php. Within this php you can include any php you want(even outside the root-folder). so you could just include db-credentials.php in the insert.php
如果您正在使用AJAX,那么应该为实例insert.php调用一个php页面。在这个php中,您可以包含任何您想要的php(甚至在根文件夹之外)。所以你可以只包括db凭证。php在insert.php
#1
1
if you are not opposed to changing things up a little bit, I think you should use your backend to interface with the database, and just use your ajax to hit those interfaces to the DB. that way you dont have to ever "Store db creds" client side
如果您不反对稍微更改一些内容,我认为您应该使用后端与数据库进行交互,并使用ajax将这些接口连接到DB。这样你就不必“存储db creds”客户端了
OR if you absolutely must save client side, you should figure out a way to reduce your access to a hashed / salted key that you save in a session cookie or something
或者,如果您绝对必须保存客户端,那么您应该找到一种方法来减少您对保存在会话cookie或其他东西中的散列/盐键的访问
#2
2
If you are using AJAX, you should just call a php-page for instance insert.php. Within this php you can include any php you want(even outside the root-folder). so you could just include db-credentials.php in the insert.php
如果您正在使用AJAX,那么应该为实例insert.php调用一个php页面。在这个php中,您可以包含任何您想要的php(甚至在根文件夹之外)。所以你可以只包括db凭证。php在insert.php