Geek Answers Handbook

Prevent scripts from stealing a password in an open source PHP project?

I am currently developing a PHP framework. Other developers can create modules for the framework. The source code of these modules should be in the framework directory.

Since the project is open source, the modules know the location of the configuration file in which there is a database password. How to protect passwords from malicious modules? Make sure the modules can simply require_oncecreate a configuration file and do harmful things!

I currently store database passwords in a directory called config and protect it with a .htaccess file:

<Directory config>
order allow,deny
deny from all
<Directory>

But this is not enough so that the scripts do not steal the password, right?

I read a thread. How to protect database passwords in PHP? but it didn’t help me find the answer.

+5
source share
8 answers

In PHP you cannot. This is not a sandbox; any code you execute gets all the permissions of the user with whom it works. He can read and write files, execute commands, make network connections, etc. You must absolutely trust any code that you bring to your project to behave yourself.

, . , . - . OS, .php , -, . , PHP-.

, Java, , (. SecurityManager .).

+3

, PHP . , ​​ - , /, . , API , . . - .

+2

, , , . , .

: , (, , ), , . , script. , fopen file_get_contents. , , , , , file_get_contents file_put_contents, / script (, fopen). file_get_contents file_put_contents, script , PHP file_get_contents file_put_contents. file_get_contents , , ; , , "access denied", , _ , . file_put_contents, , ( , , !), , , , CHMOD, . , , , "exec" .

- PHP-, .

+2

, , , php-, , .

.

+1

, , ...

runkit? PHP.

, -, , GitHub : zenovich/runkit GitHub

, , , , OK .

+1

, . , , . , cookie .. ..

, (, ), .

+1

. , , - config.ini.dist

, config.ini .

, , ​​ . , , , .

- , .

0

, . , , , . , , , ? . , , . , : ? , , ? , , (, IP/).

0
source

More articles:


All Articles