Manual:Securing database passwords/zh

默认包含 MySQL 数据库用户 ID 和密码. 将这些凭据保存在 LocalSettings.php 中是有风险的，因为在极少数情况下，PHP 文件可以作为纯文本向外界公开这些凭据：


 * PHP 在服务器上被禁用
 * PHP 本身崩溃
 * 您在该域的任何地方都有 CGI search.pl（一个常见的 CGI 搜索脚本）. 漏洞描述.

如果在这些罕见的情况下你想保护你的 MySQL 用户名和密码，它们不应该是 LocalSettings.php 文件的一部分.



Webroot 之外的 MySQL 密码
永远不要将 MySQL 密码放在 Web 根目录中的文本文件中. You can avoid doing so by doing this:


 * Make a directory outside your web root. For example, if your website is located at " ", then make a directory called "external_includes" outside of your webroot:
 * mkdir /external_includes
 * Create a file in the directory you just made called something like "mysql_pw.php" and place a variable on a separate line for each of your mysql user name, password, hostname, and database name, each variable being set to the real values. For example, using nano as your editor:
 * nano /external_includes/mysql_pw.php
 * Type the following lines using the real values of course in place of the bracketed "mysql_" fillers:


 * Take care to leave no whitespace (blank lines) after the text.
 * Save and close the file. In nano this is: Ctr (save) and Ctr (close)

Check with your distro for the webserver's user. This varies, and examples include "apache", "www-data", "nobody", "httpd". Then set the permissions for the password file like so:


 * chgrp apache mysql_pw.php
 * chmod 640 mysql_pw.php (removes the access-rights from others and write-rights from webserver)
 * (probably repeat with g-rxw ... for LocalSettings.php )
 * Make sure that the file owner has  (or chmod 400 LocalSettings.php)


 * Edit your LocalSettings.php file and add the following line in the beginning of the file:


 * Now remove these variables from LocalSettings.php:

$wgDBserver $wgDBname $wgDBuser $wgDBpassword

This way if somebody is able to access and display LocalSettings.php, all they will see is some settings rather than the password, username, etc. to your MySQL database and the real file containing that information is off limits to the web server. You still need to make sure LocalSettings.php is only readonly to the apache user as described above.