PHP Security / Databases and SQL / ...

Exposed Access Credentials

连接信息泄漏

Most PHP applications interact with a database. This usually involves connecting to a database server and using access credentials to authenticate:

绝大多数的 PHP 程序都要和数据库交互。 这个交互过程通常都是首先连接到数据数据库，然后通过连接信息认证。

This could be an example of a file called db.inc that is included whenever a connection to the database is needed. This approach is convenient, and it keeps the access credentials in a single file.

这可以作为一个用来演示 db.inc 文件的例子，你可以在任何需要数据库连接的时候引用这个文件。 这样就可以把连接信息保存在单一文件里，这倒是挺方便的。

Potential problems arise when this file is somewhere within document root. This is a common approach, because it makes include and require statements much simpler, but it can lead to situations that expose your access credentials.

如果你把这个文件放在文档根目录里面的话，潜在的问题就会显现出来。 这样放是很常见的，因为能够让 include 和 require 语句写起来很简单， 但是这会引起连接信息的泄露。

Remember that everything within document root has a URL associated with it. For example, if document root is /usr/local/apache/htdocs, then a file located at /usr/local/apache/htdocs/inc/db.inc has a URL such as http://example.org/inc/db.inc.

请记住，在文档根目录里面的所有文件都有一个对应的 URL。 例如，如果文档根目录是 /usr/local/apache/htdocs， 那么一个位于 /usr/local/apache/htdocs/inc/db.inc 的文件， 就对应着一个类似 http://example.org/inc/db.inc 这样的 URL。

Combine this with the fact that most Web servers will serve .inc files as plain text, and the risk of exposing your access credentials should be clear. A bigger problem is that any source code in these modules can be exposed, but access credentials are particularly sensitive.

大多数 Web 服务器都把 .inc 文件作为普通文本处理，把这个事实和上面的规则一起考虑， 由于泄露连接信息所引发的风险就很明了了。 还有一个更大的问题，就是任何在这些模块里面的源代码都有泄露的可能， 当然了，连接信息是最为敏感的。

Of course, one simple solution is to place all modules outside of document root, and this is a good practice. Both include and require can accept a filesystem path, so there's no need to make modules accessible via URL. It is an unnecessary risk.

当然了，一个简单但是很好的解决方法就是把这些模块都放到文档根目录外面。 include 和 require 语句都能够接受文件系统路径作为参数， 因此，没有必要让人通过 URL 访问这些模块。这是一个不必要的风险。

If you have no choice in the placement of your modules, and they must be within document root, you can put something like the following in your httpd.conf file (assuming Apache):

如果你无法选择放置这些模块的地方，而且必须放置到文档根目录里， 那么你可以在你的 httpd.conf 文件（假设你使用的是 Apache 服务器）里增加如下语句：

It is not a good idea to have your modules processed by the PHP engine. This includes renaming your modules with a .php extension as well as using AddType to have .inc files treated as PHP files. Executing code out of context can be very dangerous, because it's unexpected and can lead to unknown results. However, if your modules consist of only variable assignments (as an example), this particular risk is mitigated.

允许 PHP 引擎直接处理这些模块可不是什么好主意。 这包括如下两个方面，一、把你的模块都命名为使用 .php 扩展名的文件名， 二、通过 AddType 指令让 Apache 把 .inc 等同于 PHP 文件处理。 在上下文外的环境执行这些代码很可能会很危险，因为这不是所预期的，而且可能会引起未知的后果。 不过，如果这个模块只由一些变量赋值语句组成（就像上面的例子一样），这个风险还是很小的。

My favorite method for protecting your database access credentials is described in the PHP Cookbook (O'Reilly) by David Sklar and Adam Trachtenberg. Create a file, /path/to/secret-stuff, that only root can read (not nobody) :

我最喜欢使用 David Sklar and Adam Trachtenberg 写的 《PHP指导手册》（由 O'Reilly 出版） 一书中的方法来保护数据的连接信息。 创建一个文件 /path/to/secret-stuff， 这个文件只有 root（而不是 nobody）能够访问到。

Include this file within httpd.conf as follows:

像下面这样把这个文件包含在 httpd.conf 里：

Now you can use $_SERVER['DB_USER'] and $_SERVER['DB_PASS'] in your code. Not only do you never have to write your username and password in any of your scripts, the Web server can't read the secret-stuff file, so no other users can write scripts to read your access credentials (regardless of language). Just be careful not to expose these variables with something like phpinfo() or print_r($_SERVER).

现在，你可以在程序里面直接使用 $_SERVER['DB_USER'] 和 $_SERVER['DB_PASS']。 不仅你不用在任何程序里直接写用户名和密码，而且 Web 服务器也读不到 secret-stuff 文件， 这样，没有人能够写程序访问到你的连接信息了（不管是什么语言）。 只需要小心不要让类似 phpinfo() 或 print_r($_SERVER) 这样的代码暴露这些变量信息。