Secure a PHP file_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2022-12-16 16:31 出处：网络

I have a PHP file i made that basically give me passwords to all my users. I want to be the only one able to view the co开发者_开发百科ntents and see the page. Whats the best way doing it?

Password protection? Requiring a special cookie that only I have?

Give me some ideas..

I'd recommend that you stop storing passwords and store the hash of the password instead. Even you shouldn't really know your users' passwords.

What you're doing isn't even authentication or authorization. At best it's identification. If you're hell-bent-for-leather on doing it, what Chacha102 said, plus you'll also want to chgrp it and chmod it so that only the internet user and your user can view it.

If you want to be able to see if via a browser, try these:

Look into WWW Basic Authentication, which will basically have the browser prompt you for a username and password.

http://www.htaccesstools.com/htaccess-authentication/
http://eregie.premier-ministre.gouv.fr/manual/howto/auth.html

If you have a static IP address, you could make sure that only your IP address can see the page:

if($_SERVER['REMOTE_ADDR'] != '192.168.1.1')
{
      die();
}

If it isn't suppose to be seen by a browser, The BEST Solution would be to put the file above the DocumentRoot. AKA:

If your index.php file is at /Path/To/Root/Public_HTML put the file in /Path/To/Root

Don't store your users passwords in plaintext, hash them in the database.

Since I'm assuming you need the functionality of logging in as a user, I would suggest creating a script that let's administrator accounts (you can identify that however you want) log in as any user.

If you're storing all the data in a location that's under the wwwroot, then you risk downloading of the file, whether by bad configuration of by security vulnerability. It is also possible that this solution includes hard coding of users and passwords, which makes password rotation more difficult. And if users can change values in the file, you've got to be extremely careful that they can't inject PHP code into the password file, or they'll be able to take over your application. And the ability of an administrator to see cleartext passwords is considered a bad practice, and should be avoided.

The modern best practice is to not do it that way, if at all possible. Store the data in a location from where the web server does not normally allow direct downloads (such as outside wwwroot or in a database where you've protected against SQL injection issues), implement an authentication and authorization scheme, and rely on that scheme to control who's allowed to do what.

Check out www.owasp.org to get more details - it's a great starting point.