我正在構建一個私人CMS供我自己使用,並且我將開始構建用戶名和密碼存儲功能。我正在考慮將所有管理員用戶名,密碼和用戶詳細信息存儲在PHP文件的多維數組中,而不是使用SQL將它們存儲在數據庫中。使用PHP多維數組作爲數據庫
我爲希望使用存儲用戶信息的這種非傳統的方法的原因是它們認爲這將使它更難攻擊者獲得未經授權訪問用戶信息(用戶名,密碼,IP地址等),因爲我不會連接到MySQL數據庫。
代碼的粗線條:
add_user.php
// set the last referrer session variable to the current page
$_SESSION['last_referrer'] = 'add_user.php';
// set raw credential variables and salt
$raw_user = $_POST['user'];
$raw_pass = $_POST['pass'];
$raw_IP = $_SERVER['REMOTE_ADDR'];
$salt = '&^${QqiO%Ur!W0,.#.*';
// set the username if its clean, else its false
$username = (is_clean($raw_user)) ? $raw_user : false; // is_clean() is a function I will build to check if strings are clean, and can be appended to an array without creating a parsing error.
// set the salted, sanitized, and encrypted password if its clean, else its false
$password = (is_clean($raw_pass)) ? $salt . encrypt($raw_pass) : false; // encrypt() is a function I will build to encrypt passwords in a specific way
// if username and password are both valid and not false
if($username && $password) {
// set the users IP address
$IP = sanitize($raw_IP);
// create a temporary key
$temp_key = $_SESSION['temp_key'] = random_key();
// random_key() is a function I will build to create a key that I will store in a session only long enough to use for adding user info to the database.php file
// add user details array to main array of all users
$add_user = append_array_to_file('database.php', array($username, $password, $IP));
// append_array_to_file() is a function I will build to add array's to the existing multidimensional array that holds all user credentials.
// The function will load the database.php file using cURL so that database.php can check if the temp_key session is set, the append_array_to_file() function will stop and return false if the database.php file reports back that the temp_key is not set.
// The function will crawl database.php to read the current array of users into the function, will then add the current user's credentials to the array, then will rewrite the database.php file with the new array.
// destroy the temporary session key
unset($_SESSION['temp_key']);
}
else {
return false;
}
database.php中
$users_credentials = array(1 => array('username' => 'jack',
'password' => '&^${QqiO%Ur!W0,.#.*HuiUn34D09Qi!d}Yt$s',
'ip'=> '127.0.0.1'),
2 => array('username' => 'chris',
'password' => '&^${QqiO%Ur!W0,.#.*[email protected]&^4#',
'ip'=> '873.02.34.7')
);
然後,我會創建自定義函數來模仿像SQL查詢選擇在驗證用戶試圖登錄使用。
我的問題
這是一個壞主意,如果是這樣,爲什麼呢?
我是否正確認爲這會減少黑客試圖獲得未經授權的訪問,嗅探/竊取密碼等的可能性,因爲我沒有連接到遠程數據庫?
如果使用諸如螢火蟲什麼的工具,它可能是能夠查看整個陣列。如果這是真的,我不會推薦使用這個 –
@DarylGill,那麼不會有任何和每個PHP腳本都不安全/可變? –
1)是的 - 獲得很少的收益很多,事實上可能會帶來更多的風險。 2)只有當你考慮到他人擁有的每個弱點以及更多。如果您真的擔心流量嗅探,請通過ssh隧道連接您的mysql連接。 – sonofagun