数据库安全

目录

今时今日,数据库系统已经成为各个动态网站上 web 应用程序的重要组成部分。由于非常敏感和机密的数据有可能保存在数据库中,所以对数据库实施保护就显得尤为重要了。

要从数据库中提取或者存入数据,就必须经过连接数据库、发送一条合法查询、获取结果、关闭连接等步骤。目前,能完成这一系列动作的最常用的查询语言是结构化查询语言 Structured Query Language (SQL)。可以看看攻击者是如何篡改 SQL 查询语句的

PHP 本身并不能保护数据库的安全。下面的章节只是讲述怎样用 PHP 脚本对数据库进行基本的访问和操作。

记住一条简单的原则:深入防御。保护数据库的措施越多,攻击者就越难获得和使用数据库内的信息。正确地设计和应用数据库可以减少被攻击的担忧。

添加备注

用户贡献的备注 1 note

up
1
gabe dot aust at gmail dot com
14 days ago
The most significant way to protect databases is to simply use authentication! There are production systems online with null and default administrator credentials. See the recent "The Real World" hack...
Rule 1: Simply use authentication instead of not using it... Obviously do not save the credentials in a public-readable file.
Rule 2: Create a subsidiary account with access only to the live schema being used by your PHP app, i.e. never use the global DBMS admin account as a service login.
Rule 3: Block access at the DBMS end to only allow the web server to access the API. Most access is network based so that will involve filtering by IP.
Rule 4: You can obfuscate a bit more by setting a non-standard port but this may require code changes in the API calls you coded.
The above are some simple steps anyone can perform. More serious securing would likely involve setting up SSL connectivity.
To Top