您好,感谢大家阅读我的问题。
我已经在PHP网络程序上工作了一段时间,并且想知道我应该采取什么措施来保护源,然后再把它放在实时服务器上。 源不是分发的,它是通过网站访问的(用户登录网站使用它)。
首先,我想保护源php文件不被发现和下载。 我没有使用任何框架,只是php和所有文件都在主目录中作为index.php。 我四处看看,似乎robots.txt对于隐藏并不是很有效。 我发现了一些推荐.htaccess的人的帖子,但我经常认为这是用密码保护目录中的文件,所以不确定是否有办法让htaccess适合网络应用程序。
其次,我想保护源文件,以防有人访问它们(要么找到它们并下载它们,要么是一个可以随时访问服务器的系统管理员)。 我想到了像ioncube这样的源码加密。 我的主人也有GnuPG [我不熟悉,与ioncube相比有什么想法?]
我不熟悉源代码保护,所以任何想法都会很好,当然非常感谢你:)
Hello and thanks to everyone for reading my question.
I've been working on a PHP web program for a little while and was wondering what measures should I take to protect the source before putting it on a live server. The source isn't being distributed, it's being accessed through a website (users log into the website to use it).
First I'd like to protect the source php files from being found and downloaded. I'm not using any framework, just php and all files are in the home directory as index.php. I read around and it seems that robots.txt isn't really effective for hiding. I came across some posts of people recommending .htaccess, but I often thought it was for protecting files within a directory with a password, so not sure if there's a way to make it htaccess suitable for a web app.
Second, I'd like to protect the source files in the case someone gets access to them (either finds them and downloads them or a sys admin that has ready access to the server). I thought of source encryption with something like ioncube. My host also has GnuPG [which I'm not familiar with, any thoughts about it compared to ioncube?]
I'm not familiar with source protection, so any ideas would be nice, and of course thank you muchly :)
最满意答案
只需确保您的Web服务器设置正确处理.php文件,并且所有文件都具有正确的.php扩展名(不是.php.inc或类似)
只要您的服务器执行PHP,没有人可以下载其源代码(忽略代码中的任何安全漏洞,这是一个不同的主题)
有一段时间,通常会在mystuff.php.inc的行中命名包含文件 - 这是一个坏主意。 假设您的站点位于“example.com”,并将数据库配置存储在config.php.inc - 如果有人猜到此URL,他们可以请求http://example.com/config.php.inc并获取您的数据库以纯文本登录..
当bisko回答时 ,将配置和其他库存储在一个目录中是个好主意 - 所以你有一个类似的目录结构。
/var/example.com: include/ config.php helper_blah.php webroot/ index.php view.php这样,即使您的Web服务器配置搞砸了,并开始以纯文本形式提供.php文件,它也会很糟糕,但至少您不会向全世界宣布您的数据库详细信息。
至于加密文件,我认为这不是一个好主意。文件必须是未加密的Apache(或你正在使用的任何服务器)可以访问它们。 如果Apache可以访问它,你的系统管理员也可以..
我不认为加密是一个不值得信任的系统管理员的解决方案..
Just make sure your web server is set up to handle .php files correctly, and that all files have the correct .php extension (not .php.inc or similar)
As long as your server executes the PHP, no one can download its source code (ignoring any security holes in your code, which is a different topic)
There was a time when it was common to name included files along the lines of mystuff.php.inc - this is a bad idea. Say your site is at "example.com", and you store your database configuration in config.php.inc - if someone guesses this URL, they can request http://example.com/config.php.inc and get your database login in plain text..
It is a good idea to store configuration and other libraries up one directory as bisko answered - so you have a directory structure like..
/var/example.com: include/ config.php helper_blah.php webroot/ index.php view.phpThis way, even if your web-server config gets screwed up, and starts serving .php files as plain text, it'll be bad, but at least you wont be announcing your database details to the world..
As for encrypting the files, I don't think this is a good idea.. The files must be unencrypted to Apache (or whatever server you're using) can access them. If Apache can access it, your sysadmin can too..
I don't think encryption is the solution to an untrustworthy sysadmin..
更多推荐
发布评论