问题描述
我对事物的安全方面完全陌生.我有一个带有管理页面的网站,admin.php 可以访问几个 .php 文件,这些文件对我更新数据库等有用.因此,通过我的管理页面,我可以使用以下内容保护我的登录:
I'm completely new to the security side of things. I have a website with an admin page, admin.php that accesses several .php files which do work for me updating databases etc. So with my admin page I can secure my login using something like:
<?php
define('SALT_LENGTH', 9);
function generateHash($plainText, $salt = null)
{
if ($salt === null)
{
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
}
else
{
$salt = substr($salt, 0, SALT_LENGTH);
}
return $salt . sha1($salt . $plainText);
}
?>
上面的方法很好吗,我应该做些额外的事情吗?
Is that a good method above, should I be doing something extra?
php 文件,比如它们存储在/phpfiles/dosomething.php 中我如何保护 dosomething.php?它应该有密码吗?如果我有密码,admin.php 如何访问它?
The php files, say they're stored such as /phpfiles/dosomething.phphow do I secure dosomething.php? Should it have a password on it? If I have a password on it how does admin.php access it?
谢谢
推荐答案
生成哈希只是安全和身份验证的一部分.
Generating a hash is only one part of security and authentication.
就访问脚本而言,常见的建议是将您的 php 文件存储在 webroot 之外.因此,您无法使用 http://domain.com/youphpfile.php 访问文件而是使用 .htaccess 将所有流量重定向到 index.php 文件并从那里路由请求.
As far as access to the scripts goes, the common recommendation is to store your php files outside of the webroot. So you files can't be access using http://domain.com/youphpfile.phpInstead using .htaccess redirecting all traffic to an index.php file and routing the request from there.
根据您正在处理的网站的大小,您是否考虑过使用一些具有 Auth 模块的 PHP 框架?
Depending on the size of the website you are working on have you looked into using some PHP frameworks that have Auth modules?
或者,如果您有一个较小的网站并且只需要几个脚本,请考虑使用 Apache 研究 htpasswd.所以你可以用密码保护整个目录.即您的 webroot 中的 admin 目录.
Alternatively, if you do have a smaller website and you only need a few scripts, consider looking into htpasswd with Apache. So you can password protect an entire directory. i.e. the admin directory in your webroot.
这篇关于保护我访问多个 php 文件的管理页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!